U.S. Senator Al Franken, Chairman of the Senate’s Judiciary Subcommittee on Privacy, Technology and the Law, has questions about the fingerprint scanner and its functionality in the newly launched Galaxy S5. On Tuesday, he sent Samsung a letter asking for answers on how the technology is supposed to work, and how Samsung is guarding the privacy of Galaxy S5 buyers using it.
Franken has sent the letter after finding out that the Galaxy S5’s fingerprint scanner can easily be hacked with dummy fingerprints picked up from the phone’s screen, just like the iPhone 5s’s Touch ID sensor – Franken also contacted Apple on the matter asking similar questions about its own fingerprint reading tech.
However, Franken says that the Galaxy S5’s implementation of the feature posses additional security risks, as the feature isn’t used solely to unlock the handset.
“The Galaxy S5 fingerprint scanner reportedly allows for unlimited authentication attempts without a password prompt, whereas Apple’s Touch ID requires a password after only five failed attempts,” Franken wrote. “Furthermore, while Touch ID can be used only to unlock a device and access certain tightly monitored Apple apps, Galaxy S5 appears to allow any app to use the fingerprint scanner instead of the password. This means that you can use the Galaxy S5 fingerprint scanner to send money on PayPal and access your password app; unfortunately it likely means that bad actors who spoof your fingerprints can do that, too. This broader access to the scanner could potentially allow third parties to access sensitive information generated by the technology.”
Franken asked Samsung 13 questions, 12 of which he asked Apple last year. The Senator wants to know how Samsung secures fingerprint data, on top of what it also asked the iPhone maker – whether third parties can access fingerprint data, whether such data can be extracted from the phone, whether fingerprint data is stored on a computer, the cloud or servers, whether third parties or Samsung collect fingerprint data, and what Samsung plans to do with the technology in the future.
Franken wants Samsung to tell him how fingerprint data is categorized when it comes to U.S. privacy and intelligence laws, and whether Samsung can assure users it will protect their fingerprint data and not share it with any other third parties, unless so required by local laws.
“I’m not trying to discourage adoption of fingerprint technology for consumer mobile devices,” Franken concluded. “Rather, my goal is to urge companies to deploy this technology in the most secure manner reasonable — and create a public record around how companies are treating sensitive biometric information.”