Published Date: 2019-10-17
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident with the Samsung Galaxy S10's fingerprint recognition occurred in October 2019 as reported in [Article 91231], [Article 90937], [Article 91021], [Article 91085], [Article 91084], and [Article 90943]. |
| System | 1. Samsung Galaxy S10 and Galaxy Note 10 ultrasonic fingerprint reader system [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956] |
| Responsible Organization | 1. Samsung [93751, 91231, 90937, 91021, 91085, 90943, 90956] |
| Impacted Organization | 1. Samsung - The software failure incident impacted Samsung as it involved a flaw in the fingerprint recognition system on their Galaxy S10 and Galaxy Note 10 phones [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956]. 2. KaKao Bank - The South Korean online bank, KaKao Bank, recommended its customers to disable the fingerprint recognition feature on the Galaxy S10 until the issue was resolved [91231, 91021]. 3. RBS and NatWest - These banks pulled their apps from the Google Play Store for Samsung S10 devices due to the security flaw in the fingerprint scanning feature [90943, 90956]. 4. HSBC - HSBC issued warnings to customers who use their online/app-based banking services on Samsung S10 devices to disable fingerprint authentication until the issue was fixed [90943, 90956]. 5. Nationwide Building Society - Issued warnings to customers regarding the security flaw on Samsung S10 devices [90956]. 6. Alipay and Wechat - These mobile payment leaders in China disabled the fingerprint payment option on their apps for the Galaxy S10 and Galaxy Note 10 due to the security flaw [90956]. |
| Software Causes | 1. The software failure incident with the Samsung Galaxy S10 and Galaxy Note 10 phones was caused by a flaw in the ultrasonic fingerprint sensor technology, which allowed anyone's fingerprint to unlock the device when using certain screen protectors [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956]. |
| Non-software Causes | 1. The failure incident was caused by certain screen protectors being incompatible with the ultrasonic fingerprint sensor, leaving a small air gap that interfered with the scanning process [90956, 90943]. 2. The issue arose when patterns inside silicone screen protectors were recognized along with fingerprints, causing the device to confuse the patterns with the actual fingerprint, allowing anyone to unlock the device as long as the protector was kept on and biometrics remained enabled [90943]. 3. The flaw in the fingerprint recognition system was also attributed to the device confusing patterns inside silicone screen protectors with someone's fingerprint, leading to unauthorized access [90943]. 4. The problem was exacerbated by the fact that the ultrasonic fingerprint scanner on the Galaxy S10 could be fooled by residue left by fingers on a screen protector, allowing unauthorized access to the device [90937]. |
| Impacts | 1. The software failure incident with the Samsung Galaxy S10's ultrasonic fingerprint reader allowed anyone's fingerprint to unlock the phone when using certain screen protectors, leading to a major security vulnerability [93751, 91231, 90937, 91021, 91085, 90943, 90956]. 2. Customers were advised to remove their screen protectors or disable the fingerprint recognition feature until Samsung released a software update to address the issue [90937, 91021, 90943, 90956]. 3. Banks like KaKao Bank in South Korea and RBS and NatWest in the UK took precautionary measures by advising customers to disable biometrics on their devices and pulling their apps from the Google Play Store for Samsung S10 devices [90943, 90956]. 4. The flaw in the fingerprint recognition system raised concerns about potential fraudulent access to sensitive information and financial apps on the affected devices [90943, 90956]. 5. Samsung faced criticism and had to issue statements acknowledging the malfunctioning fingerprint recognition and promising a software patch to fix the problem [91085, 90956]. 6. The incident highlighted the importance of thorough testing and compatibility checks between hardware components like fingerprint sensors and accessories like screen protectors to ensure proper functionality and security [90956]. |
| Preventions | 1. Thorough testing with various screen protectors: Conducting extensive testing with a wide range of screen protectors during the development phase could have helped identify the issue of the ultrasonic fingerprint sensor being confused by certain patterns on the protectors [90937, 91021]. 2. Improved algorithm for distinguishing between legitimate fingerprints and spoof patterns: Enhancing the machine learning algorithms to better differentiate between actual fingerprints and patterns on screen protectors could have prevented unauthorized access to the devices [93751]. 3. Early detection and immediate action: Promptly addressing the reported security flaw by issuing a software update as soon as the vulnerability was discovered could have mitigated the risk of unauthorized access through the fingerprint scanner [90943, 91084]. 4. User education and guidance: Providing clear instructions to users on the compatibility of screen protectors with the fingerprint sensor and advising them on best practices for maintaining security could have helped prevent incidents of unauthorized access [90956]. 5. Collaboration with third-party accessory manufacturers: Working closely with third-party accessory manufacturers to ensure compatibility and prevent interference with the fingerprint sensor could have avoided the security flaw caused by certain screen protectors [90943, 90956]. |
| Fixes | 1. A software update to patch the vulnerability in the fingerprint recognition system could fix the software failure incident [93751, 91231, 90937, 91021]. 2. Implementing an anti-spoof algorithm to differentiate between legitimate fingerprints and spoof patterns could address the issue [93751]. 3. Increasing the size of the fingerprint recognition area with a new fingerprint sensor, like the 3D Sonic Max, to prevent confusion and improve accuracy in fingerprint scanning could help mitigate the problem [93751]. 4. Testing the fingerprint sensor with various covers and materials to ensure accurate recognition and prevent spoofing could be a solution [93751]. 5. Disabling the fingerprint recognition feature until the software patch is released to prevent unauthorized access through the fingerprint scanner could be a temporary fix [90943, 90956]. | References | 1. The articles gather information about the software failure incident from Samsung Electronics Co Ltd [91231, 91085, 91084, 90943, 90956]. 2. The articles also gather information from KaKaobank [91231, 91085]. 3. Information is sourced from Reuters [91085, 91084]. 4. The articles mention that RBS and Natwest have pulled their apps for the Samsung Galaxy S10 [90956]. 5. The articles refer to BBC News Mundo [91231]. 6. The articles mention that Alipay and Wechat have disabled the fingerprint payment option in their Galaxy apps [90956]. 7. The articles also mention that the Bank of Scotland has urged Galaxy owners to turn off fingerprint login [91021]. 8. The articles refer to The Sun newspaper [91231, 90943, 90956]. 9. The articles mention that Nationwide Building Society and HSBC have issued warnings to customers [90956]. 10. The articles mention that the Economic Daily News reported that Apple will be using Qualcomm's in-display fingerprint sensor [93751]. |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to the fingerprint recognition flaw on Samsung Galaxy S10 devices has happened again within the same organization, Samsung. The incident involved a major flaw in the ultrasonic fingerprint reader on the Galaxy S10 and Galaxy Note 10 phones, which could be fooled by residue left by fingers on a screen protector. Samsung acknowledged the issue and planned to release a software update to address the problem [Article 90937]. (b) The software failure incident related to the fingerprint recognition flaw on Samsung Galaxy S10 devices has also occurred at other organizations. RBS and Natwest pulled their apps from the Google Play Store for Samsung S10 devices due to the security flaw that allowed the phone to be unlocked by anyone via its fingerprint authentication system when used with certain screen protectors. Other banks like Nationwide Building Society and HSBC issued similar warnings to customers, and Alipay and Wechat disabled the fingerprint payment option on their apps for the Galaxy S10 and Galaxy Note 10 [Article 90956]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase: - The incident with the Samsung Galaxy S10's fingerprint recognition system being fooled by residue left by fingers on a screen protector was a result of a flaw in the design of the ultrasonic fingerprint sensor [90937]. - Samsung acknowledged the issue and mentioned that the problem arose when patterns of some protectors that come with silicone phone cases were recognized along with fingerprints, indicating a design flaw in the sensor's recognition mechanism [91085]. (b) The software failure incident related to the operation phase: - The incident led to RBS and NatWest pulling their apps for the Samsung Galaxy S10 due to the security flaw, impacting the operation of their services on the affected devices [90956]. - Customers were advised to disable biometrics on their devices until the issue was resolved, highlighting the operational impact of the software failure [90956]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident related to the Samsung Galaxy S10's fingerprint recognition issue was primarily within the system. The problem stemmed from a flaw in the ultrasonic fingerprint sensor technology used in the Galaxy S10 and Galaxy Note 10 phones. The issue allowed anyone to unlock the phone using certain screen protectors or even unregistered fingerprints, indicating a failure within the design and implementation of the fingerprint recognition system [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956]. (b) Contributing factors that originated from outside the system included the use of third-party screen protectors that interfered with the ultrasonic fingerprint sensor's functionality. The issue was exacerbated by the presence of air gaps caused by these screen protectors, leading to the sensor malfunctioning and allowing unauthorized access to the devices [90937, 91021, 90943, 90956]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident with the Samsung Galaxy S10's ultrasonic fingerprint reader was caused by a flaw in the technology that allowed it to be fooled by residue left by fingers on a screen protector [90937]. - The issue arose from the device confusing patterns inside silicone screen protectors with someone's fingerprint, enabling anyone to unlock the device as long as the protector was kept on and biometrics remained enabled [90943]. - Samsung acknowledged the problem and planned to release a software patch to fix the fingerprint recognition issue on the Galaxy S10 [91085]. (b) The software failure incident occurring due to human actions: - The flaw in the ultrasonic fingerprint reader of the Samsung Galaxy S10 was discovered by a British woman who found that her husband could unlock her phone using his fingerprint after she added a cheap screen protector [90937]. - The incident was reported to have been caused by a bug that allowed the phone to be unlocked regardless of the biometric data registered in the device, leading to concerns about fraudulent access [91085]. - Users were advised to disable biometrics on their devices until the issue was resolved, indicating a human action response to mitigate the security flaw [90956]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident with the Samsung Galaxy S10's fingerprint recognition system was caused by a flaw in the ultrasonic fingerprint sensor technology used in the device [93751]. - The issue arose when certain screen protectors interfered with the ultrasonic sensor's ability to accurately read fingerprints, leading to unauthorized access to the device [90937]. - The problem was specifically related to the sensor being confused by patterns inside silicone screen protectors, allowing anyone to unlock the device as long as the protector was on and biometric authentication was enabled [90943]. (b) The software failure incident occurring due to software: - Samsung acknowledged the issue with the Galaxy S10's malfunctioning fingerprint recognition and stated that they would deploy a software patch to address the problem [91085]. - The software patch was intended to fix the problems with the fingerprint recognition system on the Galaxy S10, indicating that the root cause of the issue was related to the software implementation of the sensor technology [91084]. - Banks like RBS and Natwest had to pull their apps for the Samsung Galaxy S10 due to the security flaw in the fingerprint authentication system, highlighting a software-related vulnerability [90956]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The software failure incident related to the Samsung Galaxy S10's fingerprint recognition system was non-malicious. The incident involved a flaw in the ultrasonic fingerprint reader that allowed anyone to unlock the phone using certain screen protectors or residue left by fingers on the screen protectors. Samsung acknowledged the issue and worked on releasing a software patch to address the problem [90937, 91021, 91085, 90943, 90956]. (b) The incident was not attributed to any malicious intent but rather to a technical flaw in the design or implementation of the fingerprint recognition system on the Galaxy S10 devices. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident: - The software failure incident related to the Samsung Galaxy S10's fingerprint recognition system was primarily due to poor decisions made during the design and implementation of the technology [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956]. - Samsung introduced a new ultrasonic fingerprint reader on the Galaxy S10 and Note 10 phones, which was marketed as a revolutionary biometric authentication feature [90943, 90956]. - The flaw in the system allowed anyone to unlock the device using certain screen protectors, leading to concerns about fraudulent access to sensitive information [90943, 90956]. - The issue arose from the device confusing patterns inside silicone screen protectors with actual fingerprints, compromising the security of the fingerprint recognition system [90943, 90956]. - Samsung acknowledged the malfunctioning fingerprint recognition and announced plans to release a software patch to address the vulnerability [91085, 90956]. - Banks like RBS, Natwest, Nationwide Building Society, and HSBC took precautionary measures by advising customers to disable biometrics on their devices until the software patch was implemented [90956]. - The incident highlighted a significant flaw in the design and implementation of the fingerprint recognition technology, indicating poor decisions in ensuring the security and reliability of the system [93751, 91231, 90937, 91021, 91085, 91084, 90943, 90956]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development_incompetence: - The software failure incident related to the Samsung Galaxy S10's fingerprint recognition flaw was primarily due to a development incompetence issue. The ultrasonic fingerprint reader on the Galaxy S10 and Galaxy Note 10 phones had a major flaw that allowed it to be fooled by residue left by fingers on a screen protector [90937]. - Samsung acknowledged the issue and mentioned that a bug on the Galaxy S10 allowed it to be unlocked regardless of the biometric data registered in the device. This flaw was discovered by a British user who found that her husband could unlock her phone using his fingerprint after she bought a third-party screen protector [91085]. - The flaw in the scanner arose from the device confusing patterns inside silicone screen protectors with someone's fingerprint, enabling anyone to unlock the device as long as the protector was kept on and biometrics remained enabled [90943]. (b) The software failure incident occurring due to accidental factors: - The software failure incident related to the Samsung Galaxy S10's fingerprint recognition flaw can also be attributed to accidental factors. The flaw was discovered accidentally by a British woman whose husband was able to unlock her Samsung phone when he placed his thumb on the fingerprint reader, enclosed in a cheap case [90937]. - The accidental nature of the flaw is further highlighted by the fact that the issue was not intentionally introduced but was a result of the device confusing patterns inside silicone screen protectors with fingerprints, leading to unauthorized access [90943]. - Samsung responded to the incident with a bug fix and advised customers not to use certain silicone screen protecting cases until a software update was released, indicating that the flaw was not intentional but an accidental oversight [90937]. |
| Duration | temporary | (a) The software failure incident related to the Samsung Galaxy S10 fingerprint recognition issue was temporary. The issue arose due to certain circumstances, specifically the use of certain screen protectors that interfered with the ultrasonic fingerprint sensor, allowing unauthorized access to the device [90937, 91021, 90943, 90956]. (b) The software failure incident was not permanent as it was caused by specific factors related to the screen protectors and the fingerprint recognition technology, which could be addressed through a software patch or by temporarily disabling the biometric authentication feature until a fix was confirmed and the device was updated [90937, 91021, 90943, 90956]. |
| Behaviour | crash, value, other | (a) crash: - The software failure incident related to the Samsung Galaxy S10's fingerprint recognition system can be categorized as a crash. The incident involved the system losing its state and failing to perform its intended function of accurately recognizing registered fingerprints, leading to unauthorized access to the device [90943]. - The crash resulted in the system being unlocked by anyone via the fingerprint authentication system when used with certain screen protectors, indicating a failure in maintaining the security and integrity of the fingerprint recognition feature [90956]. (b) omission: - The software failure incident did not involve omission as the system was not reported to have omitted any of its intended functions at an instance [90943]. - The incident was not characterized by the system omitting to perform its intended functions at any point [90956]. (c) timing: - The software failure incident was not related to timing issues where the system performed its intended functions either too late or too early [90943]. - There were no reports of the system performing its intended functions correctly but at incorrect times in the software failure incident [90956]. (d) value: - The software failure incident can be categorized under the value type of failure as the system performed its intended function of fingerprint recognition incorrectly, allowing unauthorized access to the device with unregistered fingerprints [90943]. - The incident involved the system performing its intended function of fingerprint authentication incorrectly, leading to a breach in security and undermining the value of the feature [90956]. (e) byzantine: - The software failure incident did not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [90943]. - There were no indications of the system behaving in an inconsistent or erratic manner with varying responses in the software failure incident [90956]. (f) other: - The other behavior exhibited in the software failure incident was a vulnerability in the fingerprint recognition system that allowed unauthorized access to the Samsung Galaxy S10 devices, highlighting a critical flaw in the security mechanism [90943]. - The incident showcased a critical flaw in the system's security design, leading to unauthorized access through the fingerprint authentication feature, which was a significant deviation from the system's intended secure operation [90956]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, non-human, theoretical_consequence, other | (a) death: People lost their lives due to the software failure - There were no reports of people losing their lives due to the software failure incident described in the articles [90943]. (b) harm: People were physically harmed due to the software failure - There were no reports of people being physically harmed due to the software failure incident described in the articles [90943]. (c) basic: People's access to food or shelter was impacted because of the software failure - There were no reports of people's access to food or shelter being impacted due to the software failure incident described in the articles [90943]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident allowed unauthorized access to Samsung Galaxy S10 phones, potentially compromising personal data and financial information [90943]. (e) delay: People had to postpone an activity due to the software failure - There were no reports of people having to postpone an activity due to the software failure incident described in the articles [90943]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure impacted the functionality of the ultrasonic fingerprint reader on Samsung Galaxy S10 and Galaxy Note 10 phones [90937]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident resulted in unauthorized access to Samsung Galaxy S10 phones, potentially compromising security, but there were no reports of actual consequences such as financial losses or data breaches [90943]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential theoretical consequence discussed was the risk of fraudulent access to banking apps and mobile payment options due to the software failure [90956]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident led to concerns about the security of the fingerprint recognition system on Samsung Galaxy S10 phones, prompting banks to advise customers to disable biometrics until a software patch was issued [90956]. |
| Domain | information, finance, other | (a) The failed system was related to the information industry as it involved the production and distribution of information about the Samsung Galaxy S10 and Galaxy Note 10 fingerprint recognition issue [90937, 91021]. (h) The finance industry was impacted by the software failure incident as RBS and NatWest pulled their apps from the Google Play Store for Samsung S10 devices due to the fingerprint security flaw, affecting banking services [90943, 90956]. (m) The software failure incident was also related to the "other" industry, specifically the technology industry, as it involved the malfunctioning of the fingerprint recognition system on Samsung Galaxy S10 and Galaxy Note 10 devices [90937, 91021]. |
Article ID: 93751
Article ID: 91231
Article ID: 90937
Article ID: 91021
Article ID: 91085
Article ID: 90943
Article ID: 91084
Article ID: 90956