Samsung Galaxy S10+ can be tricked by a 3D-printed fingerprint

Samsung's ultrasonic in-display fingerprint scanner can apparently be fooled by using a 3D-printed fingerprint.

If you have the phone owner's fingerprint and access to fairly inexpensive 3D printing equipment, the entire process takes minutes and the resulting fingerprint copy will unlock the phone quite reliably.

Imgur user darkshark explained the process on Imgur (via The Verge). He took a photograph of his fingerprint from the side of a wine glass with his smartphone. He then created a 3D model of the fingerprint with 3DS Max software, and printed it on a piece of resin with the AnyCubic Photon LCD printer.

CARD ID: 432156, CARD TYPE: Imgur

The result: a square piece of resin containing a 3D model of the fingerprint. Put that on the Galaxy S10+ and it will unlock it, as darkshark claims, "in some cases just as well" as the actual finger.

The printer that darkshark had used costs a little over $400, and while the process requires some specialized software and know-how, it doesn't look like something that would be very hard to replicate.

Of course, someone aiming to do that with another person's phone would need physical access to the phone and the owner's fingerprint, but as darkshark points out, if you have someone's phone, you probably have their fingerprints on it, too.

"I can do this entire process in less than 3 minutes and remotely start the 3d print so that it's done by the time I get to it," darkshark claims. "Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone."

CARD ID: 432158, CARD TYPE: Imgur

The fact that biometric identification methods like face recognition and fingerprint scanning aren't as secure as a good password is not new. But you wouldn't know it from Samsung's own documents. In the S10+ user manual, Samsung never says that the fingerprint scanner is any less secure than other authentication methods. In a February post about the scanner on Samsung's web page, the company says the following: "With the new ultrasonic fingerprint ID technology, there are no tradeoffs. You don’t have to sacrifice user experience for security."

In the same post, Samsung claims that it uses "a machine learning algorithm to help detect the differences between real fingerprints and forged 3D replicas."

But the method described by darkshark casts doubts on the viability of Samsung's ultrasonic fingerprint scanner as a method of protecting your data. Hopefully this will be addressed in future iterations of these scanners or through software updates; for now, if your phone contains sensitive data, you should probably use a password instead.

We've reached out to Samsung about the issue and will update this post when we hear from them.