August 6, 2015 -
FireEye’s research team has uncovered major security flaws in Android smartphones that feature fingerprint sensors which they say make them more vulnerable than Apple’s Touch ID system, according to a report by NDTV Gadgets.
The report comes a few months after FireEye discussed another flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other Android smartphones which allow hackers to duplicate the user’s fingerprints.
FireEye researchers Tao Wei and Yulong Zhang have come up with four different attacks that could extract user fingerprints from Android smartphones, including “fingerprint sensor spying” which can “remotely harvest fingerprints in a large scale”.
Several Android smartphones with integrated fingerprint scanner, including the HTC One Max and Samsung’s Galaxy S5, fail to completely lock down the sensor, the researchers said.
As a result, the sensor in these devices are protected by only “system” level privilege instead of “root”, which makes it easier for would-be attackers to find a workaround.
The researchers notified the impacted smartphone vendors, which have since provided security patches to resolve the issue.
In comparison, a few security experts have previously pointed out existing flaws in the iPhone’s Touch ID sensor. However, Zhang argues that the system is “quite secure” since it encrypts the fingerprint data it collects from the sensor.
“Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image,” Zhang said.
Google will reportedly introduce official support for fingerprint scanners with its latest OS upgrade, Android M, which will be released later this year.
Last year, Chaos Computer Club security researcher Jan “Starbug” Krissler demonstrated a method to fool standard biometric security software by reverse-engineering a fingerprint using high-resolution photographs.