April 22, 2015 -
At this week’s RSA conference, security firm FireEye discussed the recent flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other Android smartphones which allow hackers to duplicate the user’s fingerprints, according to a report by Forbes.
Despite the impacted smartphone manufacturers attempting to separate and encrypt the biometric data in a separate secure zone, it is entirely possible for a hacker to acquire the data before it is sent to the protected area and clone the individual’s fingerprints for further attacks, said Tao Wei and Yulong Zhang from FireEye.
As a result, hackers could simply focus on collecting data being sent from the Android devices’ fingerprint sensors instead of attempting to infiltrate the trusted zone, said Wei and Zhang.
This would allow any hacker that is able to attain user-level access to run a program as root in an effort to steal data from the affected Android phones, said the researchers. In the case of the Samsung Galaxy S5, the malware only requires system-level access.
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time,” Zhang told Forbes. “Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
Wei and Zhang said they both contacted Samsung, which has not yet provided any details regarding updates for users. Fortunately, the flaw is not found on Android 5.0 Lollipop or above, so the researchers recommend that users upgrade their devices accordingly.
“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” a Samsung spokesperson said over email
The researchers have only gone as far as testing “a limited number of” Android devices, but stated that the security issue is likely “more widespread”, affecting more than just Samsung’s smartphones.
Previously reported, Chaos Computer Club security researcher Jan “Starbug” Krissler demonstrated a method to fool standard biometric security software by reverse-engineering a fingerprint using high-resolution photographs.