August 10, 2015 -
Security research firm FireEye have developed a new spoofing method for acquiring fingerprints from Android smartphone models embedded with biometric sensors such as the Samsung Galaxy S5 and the HTC One Max, according to a report by The Register.
The spoofing method is one of four attacks the FireEye researchers recently discovered that exploit major security flaws in Android smartphones with fingerprint sensors which they say make them more vulnerable than Apple’s Touch ID system.
FireEye’s researchers — which comprises of Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei — discovered a flaw in HTC One Max in which fingerprint data is stored as an image file (dbgraw.bmp) in a open “world readable” folder.
“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” said the team, adding that the images can be made into clear prints by adding some padding.
In another spoofing scenario, FireEye demonstrates how attackers can have third-party money transfers authenticated by displaying a fake lock screen prompting unsuspecting victims to scan their fingerprints to unlock the device.
The researchers presented their paper,“Fingerprints On Mobile Devices: Abusing and Leaking”, at Black Hat in Las Vegas last week.
They explained how the majority of Android smartphone manufacturers fail to use Android’s Trust Zone protection to protect biometric data.
“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team said. “So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”
The fingerprint sensors embedded in the smartphones are only restricted to root privilege, and not system, which makes it easier for attackers to find a workaround.