There were only a couple stories that caught my attention this week. One relates to an issue with the biometric security on Samsung Galaxy S10 devices, and the other has to do with the launch of the new United States Cybersecurity Directorate.
Here we go:
Biometric Insecurity on Galaxy Devices
A woman in the United Kingdom stumbled on a serious issue with Samsung Galaxy S10 devices. She discovered that even though she only registered her right thumb to unlock her device, she was able to gain access with her left thumb as well. She then did some further digging and found that her husband could also unlock her phone with either of his thumbs, and that the same issue existed on her sister’s Galaxy device as well.
The issue was brought to Samsung’s attention and they investigated. It turns out that some silicone screen protectors interfere with the ultrasonic fingerprint sensor on the Galaxy S10, S10 Plus, and S10 5G, as well as the Galaxy Note 10 and Note 10 Plus. The fingerprint sensor detects 3-dimensional patterns in the screen protector and registers it as the user’s fingerprint.
Samsung issued a statement announcing that a patch is coming soon and offering the following guidance:
To prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints.
If you currently use front screen protective covers, to ensure optimum fingerprint scanning, please refrain from using this cover until your device has been updated with a new software patch.
The thing that seems most odd about this to me is that the result of the flaw is to grant access. I can understand if the screen protector interferes with the ability to accurately read the fingerprint and prevents the device from unlocking. That would make sense. In this case, though, it seems that the fingerprint sensor couldn’t get an accurate read and just decides that any fingerprint is close enough. That doesn’t instill tremendous confidence in the protection of the biometric security.
United States Launches Cybersecurity Directorate
The United States government and the United States military have seemingly countless teams and agencies dedicated to various aspects of cybersecurity. Last week, the National Security Agency (NSA) announced the formation of the new Cybersecurity Directorate in an effort to correlate and coordinate those efforts for a more comprehensive effort.
The vision behind the Cybersecurity Directorate is to form partnerships between various groups to enable technical and intelligence experts pool resources and compare notes. The Cybersecurity Directorate will ostensibly enable the NSA to integrate efforts by cyber defense experts to operationalize threat intelligence and vulnerability assessments.
NSA director General Paul Nakasone said, "What I’m trying to get to in a space like cyberspace is speed, agility, and unity of effort."
This move makes sense and mirrors similar efforts in the private sector. Different groups and different cyber disciplines collect and analyze data to develop intelligence about evolving techniques and emerging threats, but each one is like having just a handful of pieces from a massive jigsaw puzzle. By combining the intelligence and coordinating the effort, the pieces can be put together to reveal much more of the puzzle and help organizations stay a step ahead of attackers.