Your fingerprint is unique to you.
The fingerprint scanner for added security on your smartphone makes sense, right?
Unfortunately, it looks like that added security might be more of a liability. Researchers claim a flaw found in certain Android devices could let hackers clone your fingerprint authentication and use it for additional cyberattacks and potential theft.
Tao Wei and Yulong Zhang from the security firm FireEye claim they have found failures in the security of fingerprint authentication for the Samsung Galaxy S5 and other Android devices. The duo have recently presented (PDF) their findings at the RSA Conference.
Essentially, the problem breaks down to this:
- Information on these smartphones is being segmented and encrypted in separate secure zones.
- The flaw is that attackers can grab your fingerprint information before it reaches the protected zone, or TrustZone as Wei and Zhang call it.
- From there, fingerprint data can be copied and stored.
This means that attackers don’t have to try and break into the TrustZone. Instead, information is stolen from memory or storage. Attackers just have to manage user-level access and your fingerprint is theirs. The problem appears to be even worse on the Galaxy S5, where malware only needs system-level access.
Zhang told Forbes:
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint … You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
This problem seems to be only present on devices running operating systems older than Android 5.0 Lollipop. Wei and Zhang suggest anyone using an older version should update their devices if possible.
A Samsung spokesperson told Forbes via email:
“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.”
Wei and Zhang said they have not tested any other devices but they speculate the problem may be widespread. They suggest taking precautions to protect your information. Keep your device updated, only install apps from popular and reliable sources, and stick to mobile device vendors with timely patches and upgrades. They have also suggested that enterprise users might want to seek professional services to get protection from advanced target attacks.
Fingerprints Photo via Shutterstock