Senator seeks answers on Samsung's fingerprint scanner for Galaxy S5

Technology poses security concerns, says Franken

A U.S. senator Tuesday questioned Samsung on the privacy protections the company has in place for the fingerprint scanning technology on its recently released Galaxy S5 smartphone.

In a letter addressed to the South Korean and U.S. top executives of the company, Sen. Al Franken (D-Minn.) expressed concern over reports about security gaps in the technology and demanded to know what measures the company has for addressing them.

Samsung did not respond immediately to a request for comment.

The letter is similar to one Franken sent last September to Apple CEO Tim Cook in which he sought details about Apple's TouchID fingerprint reader in the iPhone 5S.

Like Apple's TouchID, Samsung's fingerprint scanner was hacked by security researchers just a few days after the product was released, Franken noted in his letter to Samsung. In both cases, researchers were able to easily fool the scanners using a fake fingerprint lifted from a smartphone touch screen.

"Initial reports also suggest that the Galaxy S5 may raise security concerns that Touch ID does not," Franken noted. For instance, the scanner allows for unlimited authentication attempts without ever requiring a password. In contrast, the TouchID requires iPhone 5S users to enter a password after five failed fingerprint authentication attempts, Franken said.

Unlike the TouchID, which only allows users to unlock a phone and use a narrow set of applications, Samsung's technology lets users access the entire range of applications on the phone once they have been authenticated using a fingerprint.

"This means that you can use the Galaxy S5 fingerprint scanner to send money on PayPal" without needing to use a password, Franken wrote apparently referring to a demonstration of exactly that capability by security firm Chaos Computer Club last month.

"Unfortunately, it likely means that bad actors who spoof your fingerprints can do that too," he said.

While fingerprint-based authentication can be convenient, fingerprints are the opposite of private. They are easy to steal because people leave fingerprints on everything they touch. Hackers with a digital copy of a fingerprint can use it to impersonate another individual for the rest of that person's life, Franken said.

Franken asked Samsung to explain how it secures fingerprints generated by the scanner and whether the technology allows locally stored fingerprints to be converted to a digital or visual format that can be used by others.

He also asked Samsung to explain whether it would be possible for a third party to extract a fingerprint stored on a device and whether fingerprint images are backed up onto computers or to Samsung servers in the cloud. He wanted to know if Samsung plans on enabling fingerprint authentication on other device, such as its tablet computers.

In addition, Franken asked a series of detailed questions on Samsung's policies on whether it considers fingerprint data to be part of the contents of a communication message or as a subscriber number or identity as defined in the Stored Communication Act. Knowing the answers to such questions are important because it provides insight into how the company will treat fingerprint data when confronted with a demand for data by law enforcement and other government agencies.

"I am not trying to discourage adoption of fingerprint technology for consumer mobile devices," Franken said. Rather the goal is to get companies to deploy the technology in a measured and secure manner, he said.

This article, Senator seeks answers on Samsung's fingerprint scanner for Galaxy S5, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about smartphones in Computerworld's Smartphones Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags galaxyAppleconsumer electronicssecuritymobile securitysmartphonesprivacy

More about AppleGalaxyPayPalSamsungTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts