A U.S. senator Tuesday questioned Samsung on the privacy protections the company has in place for the fingerprint scanning technology on its recently released Galaxy S5 smartphone.
In a letter addressed to the South Korean and U.S. top executives of the company, Sen. Al Franken (D-Minn.) expressed concern over reports about security gaps in the technology and demanded to know what measures the company has for addressing them.
Samsung did not respond immediately to a request for comment.
Like Apple's TouchID, Samsung's fingerprint scanner was hacked by security researchers just a few days after the product was released, Franken noted in his letter to Samsung. In both cases, researchers were able to easily fool the scanners using a fake fingerprint lifted from a smartphone touch screen.
"Initial reports also suggest that the Galaxy S5 may raise security concerns that Touch ID does not," Franken noted. For instance, the scanner allows for unlimited authentication attempts without ever requiring a password. In contrast, the TouchID requires iPhone 5S users to enter a password after five failed fingerprint authentication attempts, Franken said.
Unlike the TouchID, which only allows users to unlock a phone and use a narrow set of applications, Samsung's technology lets users access the entire range of applications on the phone once they have been authenticated using a fingerprint.
"This means that you can use the Galaxy S5 fingerprint scanner to send money on PayPal" without needing to use a password, Franken wrote apparently referring to a demonstration of exactly that capability by security firm Chaos Computer Club last month.
"Unfortunately, it likely means that bad actors who spoof your fingerprints can do that too," he said.
While fingerprint-based authentication can be convenient, fingerprints are the opposite of private. They are easy to steal because people leave fingerprints on everything they touch. Hackers with a digital copy of a fingerprint can use it to impersonate another individual for the rest of that person's life, Franken said.
Franken asked Samsung to explain how it secures fingerprints generated by the scanner and whether the technology allows locally stored fingerprints to be converted to a digital or visual format that can be used by others.
He also asked Samsung to explain whether it would be possible for a third party to extract a fingerprint stored on a device and whether fingerprint images are backed up onto computers or to Samsung servers in the cloud. He wanted to know if Samsung plans on enabling fingerprint authentication on other device, such as its tablet computers.
Sign up for CIO Asia eNewsletters.