Why Samsung's fingerprint sensor needs to face the same scrutiny as Apple's Touch ID

Why Samsung's fingerprint sensor needs to face the same scrutiny as Apple's Touch ID

Last week the new Galaxy S5 was introduced and, along with it, Samsung's take on the fingerprint identity sensor. Apple, of course, introduced the Touch ID fingerprint identity scanner alongside the iPhone 5s back in September of 2013. From launch, Touch ID received considerable scrutiny over not only its implications but its implementation as well, and not only by the media, but by security researchers and the U.S. government. So, roughly 3 nano-seconds after the Galaxy S5 was swiped on stage, Apple enthusiasts began wondering out loud just when exactly that same scrutiny and attention would hit Samsung. Some felt it wouldn't and that that was unfair. Others felt it wouldn't and that that's perfectly reasonable. My take is that it has to, and not just for the sake of Apple/Samsung fairness, but for consumer confidence and the technology moving forward.

Apple didn't get a letter from a U.S. Senator the moment they announced Touch ID. It took until launch day a week and a half later. Nor did articles showing supposed hacks or spoofs proliferate through the media the same day as the keynote. It took until the iPhone 5s got into people's hands again a week and a half or more later. Samsung has only just announced the Galaxy S5. They haven't shipped it. They haven't even announced a price or put it up for order. People who just want to get on the attention train will wait for launch to make the biggest splash possible. People who just want to audit the security will have to wait to get their own units before they can even start. Unless and until that happens, it's impossible to say what the scrutiny level will be.

Now the HTC One Max shipped with a fingerprint scanner back in October of 2013 and it didn't get anywhere near the scrutiny of Apple's Touch ID. Likewise, Motorola shipped the Atrix back in 2011 and never saw anything like it. But here's the thing: Apple enjoys far greater popularity and attention than any of those companies and the iPhone than any of those products. They weren't front page fodder the way Apple is. And maybe the way Samsung is now as well, or should be.

Part of the narrative for Samsung's fingerprint sensor includes the idea of it "doing more" than Apple's Touch ID. For example, it works in partnership with PayPal and offers developers a way to interface with it. Touch ID does not. That's often how Apple works. Introduce something. Use it internally. Work out any kinks. Then — Siri not withstanding — push it out to developers. Apple wants its APIs to be as solid as possible and you better believe they want the process of handing off Touch ID tokens to be nigh-invulnerable before they let them get anywhere out of Apple's chain.

It's a security-first approach and it makes sense when you're attempting to mainstream a technology like biometrics. When Touch ID launched, Apple not only described how it worked on stage but put up several articles on the web detailing the authentication and authorization process as well. (Following Samsung's announcement, Apple has released even more detailed information about Touch ID's implementation).

I've not been able to find anything similar about the Galaxy S5 fingerprint scanner on Samsung's website. I have no idea what their security chain is or how their sensor works. Is there a secure enclave on their chipset? It seems unlikely since they'll be using two different chipsets, one of which is generic and made by Qualcomm. Will every Samsung sensor be uniquely paired with its chipset and cease functioning if the hardware is swapped? Again, given the manufacturing choices, it seems unlikely. How is the fingerprint data captured? How is it stored? How is it released to Samsung's own apps? To Paypal? To third parties?

I know the time and consideration Apple put into Touch ID, the details they sweated to not only keep the process offline but physically inaccessible to the software in any way beyond the yes/no token. I'd very much like to know the same thing about Samsung's sensor.

Right now the Galaxy S5 gets a free ride on Touch ID's wave. Mainstream media and customers alike will simply think it's the same thing, assume it works just as well, and Samsung will benefit from Apple's priming of the market. But only if it really does work just as well.

That's why I'd like to see a letter from a U.S. senator on Galaxy S5 launch day. I'd like to see security experts and CSI's try to crack, hack, and spoof the hell out of it the way they did Touch ID. I'd like to know if it's vulnerable to software attacks or if someone with a Batcave worth of gear could trick it with a fake fingerprint. I'd like to see all of that reported on with every bit the ferocity Touch ID experienced.

Because the Galaxy S5, like the iPhone 5s will sell in the hundreds of millions. I have friends who are going to buy it and be every bit as excited about their fingerprint sensor as I am about Touch ID. If it's just too fussy to work reliably and they abandon it, that's fine and that's one thing. If it turns out to be insecure, that's something else entirely.

That's something that'll get headlines. Apple and Touch ID will get lumped into those headlines. I'll get panicked calls. And rightly so.

We're at an incredibly exciting point in mobile — the contextual awakening is coming. Ubiquitous mobile payments are coming. Technology is going to change quickly and that's it's going to require a lot of faith and lot of confidence from consumers. If an antenna misfiring is annoying, your wallet getting dropped will be cataclysmic.

It not only serves Samsung's best interests, it not only serves Apple's best interests, it not only serves ever geek futurist's best interests, but it serves the mainstream consumer electronic customer's best interests for the Galaxy S5's fingerprint identity scanner to either be terrific, or be kicked so hard, so fast, that Samsung has no choice but to make it terrific or risk ceding the market to those who can.

For a different, smart take on Galaxy S5 fingerprint sensor scrutiny check out Guy English's piece on Kickingbear.

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, The TV Show, Vector, ZEN & TECH, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts

 

38
loading...
52
loading...
80
loading...
0
loading...

← Previously

Deal of the Day: Incipio FAXION Case for iPhone 5/5S

Next up →

German court denies patent troll $2.15 billion of Apple's money

Reader comments

Why Samsung's fingerprint sensor needs to face the same scrutiny as Apple's Touch ID

43 Comments
Sort by Rating

Great piece Rene, personally I won't share my fingerprint with any device that can connect to the internet. Same reason why I won't give the government or any parties (airports) etc personal information that I don't absolutely have to for convenience's sake. Not because I'm a criminal, but for the principal of the matter

I wouldn't be surprised if Samsung admits it stores the fingerprint data as 2400dpi graphic image files that can be downloaded from the root folder of its MicroSD card. ;)

Good work Rene. Apple claims to make superior products which I believe they do. Something as important as Touch ID should be examined closely. Any manufacturer that wants consumers to use security features such as Touch ID should be subject to the same examinations as Apple. The examinations should be the same for all and reasonable. One example of defeating Apples Touch ID was the lifting of a fingerprint from an object then using it to gain access past Touch ID. Can it be done? Yes. Is it a reasonable expectation that it would happen? Not by most thieves.

As we move more into using our smartphones more for electronic payment systems such as Passbook it becomes imperative that we can do so without fear that those systems will be hacked and our accounts drained dry. These fears must be reasonable. Any system can be thwarted given someone with enough talent and resources. That said, it should take extraordinary measures to do so.

If Samsung wants to be considered as a high end technical leader in the industry they should expect the same scrutiny as Apple. Will that happen? I don't believe so. Any Apple miscue is reported, examined, and dissected from major news outlets such as CNN and Wall Street Journal but I honestly can't recall them giving any such attention to other manufacturers.

Apple has been the standard against which others are measured against. That comes with being the top dog. It's the price one pays for being at the top. The day may come when some other company is at the top. If so I can only hope that they will be treated the same as Apple has been.

Just because Apple gets scrutiny doesn't mean Samsung should. From what I've read Samsung has made no claim of above average security. Yes it would be nice to be made aware of exactly how Samsung is storing biometrics data but I am pretty certain that it gets at least the same treatment as a pass code. So it's encrypted and is never passed to an app. The normal security that your average user needs. It's just enough that an attacker would need to put more effort into it then it's worth. Apple set themselves up for scrutiny by claiming above average security, Samsung didn't.

So we should give Samsung a pass because we know they're mediocre? Huh, you may be on to something there. ;)

Also, trying to find any reference or inference to "above average security" in Apple's press release announcing the iPhone 5s, and coming up short. Starting to think your entire argument is a straw man.

Hahaha Peter. It just goes to show that Apple is the superior choice because of exactly how much they are scrutinized and bombed in the media. Android rarely gets the same treatment because it's not even close to being on the same level as Apple or iOS. Apple has become the Litmus test that everything else is compared against.

Sent from the iMore App

You're right Apple never claimed to have above average security, but their tone implied it. They detailed the inner workings of their sensor (something Apple is known for not doing) showing off their chip/sensor pairing, emphasizing the "secure enclave," doing everything they could to prove that theirs is the most secure, which it may well be. It's just not the information the average user needs and it's odd behavior for Apple.

My point was that Samsung didn't bother explain their system because it's the standard way of doing it. So why should we scrutinize a system that is used by everyone other than Apple? If Samsung came out and said that they had a new way of doing it which ensured security then they should be scrutinized because it's untested. We already know how to hack Samsung's sensor because it's the same sensor system on the HTC One Max and on the Motorola Atrix and on my crappy laptop. (As a note I don't actually know what system Samsung uses I just assume it's the same as other phones because I don't see Samsung making something that innovative)

Edit: I think Apple did the right thing detailing as much as they did. It let security experts know that there was something different going on and that scrutiny was needed.

I think you make a good point as to why Apple chose to release some info beyond their traditional limit. I would like to add that at the time of the 5S's release, there was quite bit of fuss going on over the NSA and its surveillance of US citizens at home. I think Apple said what they did so as not be harmed (in terms of sales of the 5S) by people's fears about government spying. Further, the Senator(s) asking questions, was in my opinion, nothing more than politicians trying take credit and deflect criticism as the info about the spying surfaced under their watch.

My point wasn't the type of technology but the scale of deployment. When things hit the mainstream, the heat of the spotlight can and should go up.

It's in everyone's best interests, especially for something as new and potentially controversial as popular biometrics.

Biometrics technology should be scrutinized because it is becoming a major part of our lives but I don't think Samsung should be given undue attention for using already tested and understood systems. We're not going to scrutinize Touch ID again when the next iPhone comes out unless it's changed in a significant way. So why should Samsung get scrutiny for something that has already been scrutinized by the security community, albeit in a less public fashion than Apple. Scrutiny for scrutiny's sake is a waste of time. Now if Samsung is using a non standard method of storing/processing prints then there's place for scrutiny. If scale is leading to poor security on Samsung's system then there's place for scrutiny.

If it had an SDK, for example, I'd sure hope Touch ID gets scrutinized.

Right now I don't know what Samsung is using, but I'd sure like to. Especially because of the SDK.

Why assume when we can learn and understand?

You're right. Assuming shouldn't be sufficient for us, but scrutiny isn't the only way to learn. Soon enough we'll know how the GS5 works. The SDK is already available and I'd venture a guess that it uses a standard method of handling the underlying data. I don't see Samsung inventing anything new, so I don't see the need for mass scrutiny. If a tear down shows anything different than standard then scrutiny is warranted.

Samsung's sensor is an entirely different beast than Touch ID. Touch ID was a fundamental rethinking of how a fingerprint sensor should operate thus warranted added scrutiny. Samsung is less ambitious and prefers to stick with the standard, it's cheaper and safer for their reputation. It is also already tested and doesn't warrant additional scrutiny.

If you want to lift Samsung to the same level as Apple and call all their imitations innovations feel free, but it's not worth your time. Their stuff is off the shelf and anticipated, not innovation. We know how it works before we have it.

I think your thinking if this all wrong. Just because we're used to Samsung releasing sub par software and hardware doesn't mean their implementation of biometrics shouldn't be scrutinized. The big thing is that Samsung could ruin the tech before it even gets a chance to get started as people will simply assume it works well like apples. I just don't understand your logic that Apple invites this kind of scrutiny because it brags (this is what I assume you meant by your comments) about how far it went to protect its users and Samsung shouldn't since they really didn't care and simply just implemented a fingerprint scanner as a check mark feature (we really don't know, but like you I'm inclined to believe Samsung didn't think about securing their users the same way apple did). To me if your going to take on a security feature then you better take it seriously and I just don't think they are. Millions will buy this phone and if it is a feature and nothing more they really can damage the entire market. To each their own I guess, but as for me I wouldn't still be using touch ID if I didn't know the extreme lengths apple went to protect me. I guess it comes down to the people that use samsungs phones to decide if they did enough and if they should be trusted, but as for me I take security seriously and it's great to see that apple take their roll serioslky as well before they release a feature like this. We live in a crazy world.

I'm not saying that Samsung's implementation of fingerprint scanning is insecure or sub par. I am saying that Samsung uses off the shelf solutions rather than innovating and making better solutions. Since it's an off the shelf solution (this hasn't been confirmed yet but is almost certain) it has already been scrutinized by security experts. That is why it doesn't need or deserve further scrutiny.

Also I have no problem with Apple bragging about their solution and honestly they would have been irresponsible for not going into detail, but by going into detail and making it very public that they had created their own solution they opened themselves up to public scrutiny. Whenever you build your own security mechanism it must be scrutinized by as many security experts as possible to ensure any vulnerabilities are found and fixed. Honestly Apple's approach to securing Touch ID is overboard, but too much is better than too little.

To clarify. Apple got scrutiny because of the NSA debacle and because they built a new security system. Samsung shouldn't be put through the same scrutiny because their solution (most likely) is a tested standard with recommended minimum security. Of course if Samsung's solution proves to be a new or modified solution then it needs to be scrutinized to ensure security.

Yes, great piece indeed. Well done, Rene.

Very strong and classy .... I could've not said all those better myself .... without using a few hundred F words! ;)

"Now the HTC One Max shipped with a fingerprint scanner back in October of 2013 ..."

HTC is still around? Still banging their heads against the smartphone market brick wall?
Oh wait. That was last October. Maybe they're dead *now*. Anybody check recently?

"Technology is going to change quickly and that's it's going to require a lot of faith and lot of confidence from consumers."

That's why Apple is spending so much time, money, blood, sweat, and tears on Touch ID and Secure Enclave. And why they've eaten their own dog food by rolling out EasyPay and iBeacons in their own Apple Stores. Because if you get it right you'll own the ubiquitous mobile payments market. Get it wrong and you're the next Target. Literally.

Kind of sad you don't know who makes phones in the smartphone industry. It makes me wonder what other common facts you aren't aware of.

The fact of the matter is that we don't know how Touch ID works because we haven't seen the source code. And until the source code is released nobody should claim it's secure, period.

As fanboys it's excusable to trust in Apple. However, professional software engineers and security auditors aren't trained to be naive, especially with respect to marketing materials and press releases.

Who knows if there's another goto fail bug hiding in Touch ID? We have a saying in the open source community, "show me the code." As far as I'm concerned Samsung's fingerprint tech is about as secure as Apple's. And that's not saying much.

Goto Fail was in open source code.

In theory open source is nice because more people can audit the code. In practice security researchers can and do attack plenty of closed source code.

Samsung should not get a "pass" for this. Every single tech writer that criticized apple for touch ID should be just as critical of samsung's offering. The same ones that ripped IP5S are surprisingly quiet right about now. Crazy...

Sent from the iMore App

I think Apple get more attention because the US user base is both large & aspirational. Samsung should get similar attention. Anything which encourages better security practice helps.
Purchasing should really be two factor; it involves more hassle, but we need the protection.

Wow: "roughly 3 nano-seconds" Did the users get a speed bump as well Rene?

Great article Rene.

Samsung SHOULD receive more scrutiny over their fingerprint scanner simply because their answer to Apple's "security-first" approach was "we can do a lot more." It remains to be seen whether they can do more, securely!

When the iPhone 5S was announced, Apple gave more information than the average user would care to receive about the implementation of the fingerprint sensor. Apple felt it was of the outmost importance to make it as secure as possible. It is limited but secure.

More information will certainly surface about Samsung's implementation in the following weeks. But there is a serious danger for Samsung here. No, it's not about the initial reaction that Samsungs's sensor technology is more anachronistic (After Touch ID, swiping for a fingerprint scan is not cool anymore). Unlike Apple, Samsung does not take its time to bring new technologies to production. If the implementation of the S5 fingerprint sensor is not secure, there will be serious repercussions. Actually, it will be a PR disaster.

Nice piece, but the verdict is already out on Samsung's fingerprint reader. It's not implemented well, and is an actual hassle to use. Much like HTCs implementation.

Sent from the iMore App

Fingerprint scanners have been around for awhile. Moto atrix had it way before apple did. Apple doesn't do everything first, I know as hard as that is to believe.

Sent from the iMore App

I would put forth though, that the S5 and One Max, once rooted, will allow people to see for themselves where the fingerprint data goes. With the 5S, you just have to trust that Apple isn't doing anything with it. Yes, there is a jailbreak, but afaik it's harder to see if it's in an iCloud backup or not, as Apple's background processes that may touch the fingerprint are obscure, and you can't really know what they're doing, while the One Max and S5 you can see more.

Apple has close to 50% smartphone marketshare in the US and Samsung has about 25%, and yet they should receive the same scrutiny? Right.....

Ask yourself why didn't the Motorola Atrix receive any scrutiny, yet the iPhone 5s did...

I should note the article does explain why one phone gets scrutiny over another, but basically Samsung and any of the Galaxy S series have no where near the penetration of the iPhone 5S

Maybe because it isn't as easily tripped as touchID was? Or the fact Samsung is opening it up to more 3rd parties to take advantage of it?

Or that it's Samsung and android which everyone likes to bash as being so insecure so people just don't expect this fingerprint scanner to be secure either.

Sent from the iMore App

Thats all cool but im still waiting for the genius who can crack my 8 number and alphabet password. Bring it.

First off, a quick question about Samsung stuff... Why do I always feel like I'm gonna break it?

With that question for the ages out of the way... I don't think Sammy had any business including the thing on this machine. We all know that they gave zero consideration to user safety and security, so all they really did was create a trap.

Samsung: "Here, unsuspecting user that got shoveled a thing by some dude at a carrier store. Use this 'nice feature' that will make your telephone experience 'more secure.'"

User: "Why did you do put quotes on 'more secure?'"

Samsung: <awkward laugh> "Aha-hahahaha! Yeah! Security is really important!"

Talking smack about Apple generates ad clicks. Talking smack about Samsung or Android generates yawns. For example…

“We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom.”

Sundar Pichai, head of Android development for Google.

This little tidbit went by with nary a mention or cross examination by the tech press. Had Tim Cook said that about iOS it would be national headline news. Every network newscast, every nerd website, every blog on the Internet would be lit up with commentary and snark, just like TouchID was. So while it might be interesting to see Samsung’s implementation raked over the coals and thoroughly tested it simply will not happen. That’s just the way it is.

The SGS5 hasn't even shipped & the crying has already started. From what I can see the sensor on the Samsung device has less chance of hardware failure due to the way the phone gets your fingerprint. Time will tell but it's amazing to me how many senior editors on this site write like fanboys that get mad whenever Samsung pushes their software. If not for Samsung the iPhone wouldn't be as good as it is. I own both the 5S and Note 3, great devices, I am happy these devices have pushed the boundaries of the Smartphone further than anyone ever expected so fast. I just enjoy tech, wish I was in it professionally instead of the Construction business. These devices make parts of my job so much easier, Thank You Samsung and Apple for that.

Sent from the iMore App

Right now I'm quick to assume Samsung's fingerprint scanner will not be scrutinized and Samsung held under the gun like Apple. The recent news of Google admitting Android was never built to be secure hasn't gotten much attention or outrage. It is just the way it's been and I feel this wont be any different. It's the under dog advantage and even though Samsung is a ginormous company that is how they are perceived in the smartphone space. I agree with Rene that when it comes to security it shouldn't matter who implemented the tech it should be tested thoroughly.

Sent from the iMore App

It's amazing how many commenting (or writing articles) here work for Apple and Samsung. How else could they know with such certainty the internal motivations and development methods for each company and their approach to security implementation?

I have an idea - how about we stop assuming we know why a company does something a certain way and just let the facts speak for themselves? Crazy I know...