The flaw allows users to unlock the phone with a mere 2D photo or video.
Face unlock is the security mode that many smartphones feature today. While most brands have a simple face unlocking mechanism that senses a lot of parameters before unlocking the phone, it is not as secure as the fingerprint sensor. However, Apple had shown the world that face unlocking can be highly secure and confidently removed the TouchID sensor, just to show that the face unlocking mechanism on the iPhone X series can really prove Apple’s point. Samsung used a different type of unlocking, called retina scanning, which is meant to be highly secure too. And we have seen these in the 2018 models.
The 2019 Samsung Galaxy S10 series shows no signs of the retina scanning (iris scanner), and relies completely on the fingerprint scanner and face unlocking mechanism. And with the smartphones out for a review with almost every techie out there, many have been goofing around with the new flagships, just to shockingly find out that the Galaxy flagships are unlocking themselves with mere 2D photos and videos.
Not only photos, it seems that the Samsung Galaxy S10 flagships are also having confusion with recognizing siblings as the owners.
A report from The Verge stated that they were able to unlock the Galaxy flagships with a video. Unbox Therapy stated that he was able to unlock the device by simply showing the front camera one of his YouTube videos. Shockingly, AndroidWorld.it noted that his phone could unlock by simply showing it his 2D photo. To make things even worse, a Security researcher known as Jane Wong stated that she could unlock her brother’s phone using her face.
I unlocked my brother's Galaxy S10+ with my face— Jane Manchun Wong (@wongmjane) March 9, 2019
This report comes from ArsTechnica which noted that Samsung had a better IR-based iris scanning biometrics that was hard to crack. However, this time Samsung seems to have removed the IR blaster and IR scanner/camera that allows retina scanning for a secure face unlocking system. The iris scanner was available in the S8 and S9 and Note 8 and Note 9 series, but has been taken away in the Galaxy S10 series. Thanks to the slimmer design, punch hole front camera and under-display sensors, Samsung had no room to put in more hardware that could make face unlocking more secure. Sadly, one now has to rely on the fingerprint sensor completely to ensure that no one could snoop into their phone.
It is sad that Samsung has not addressed this issue before releasing the phones to the public, especially when security and privacy is an important need of the hour. Hopefully Samsung releases a software patch or update to resolve the issue at the earliest.
Samsung reached out to us with a statement saying, "Face recognition is a convenient action to unlock your phone. For cases requiring strong security, Samsung recommends using the new in-display Ultrasonic Fingerprint Scanner that unlocks only with your physical fingerprint. The Ultrasonic Fingerprint Scanner has been certified by FIDO Alliance with the world’s first Biometric Component Certification that recognizes its vault-like security and industry best-practice for biometric-enabled devices."
One should know that the face unlock here is not a secure one and only meant for convenience. However, Samsung did have the iris scanning technology in its past flagships and eliminating it from the Galaxy S10 series in favour of a cheaper and less secure alternative is a definitely disheartening.