Yet another biometric authentication mechanism has proven to be fallible. It turns out that a flaw in the Samsung Galaxy S5 and other Android smartphones allows hackers to steal fingerprint data and clone prints for further attacks.
Tao Wei and Yulong Zhang of FireEye said that a hacker who’s able to gain root access to certain phones running pre-Lollipop versions of the Android OS—which can be accomplished with a variety of malware—can remotely intercept and collect fingerprint information as it’s transmitted from the sensor to a segmented and encrypted “safe zone.”
The Samsung Galaxy S5 makes it even easier, because the malware needs only system-level access.
“If the attacker can break the kernel (the core of the Android operating system), although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time,” Zhang told Forbes. “Every time you touch the fingerprint sensor, the attacker can steal your fingerprint.”
With a copy of the fingerprint data, it’s possible to use it to gain entry to the phone without needing physical access to the device.
“You can get the data and from the data you can generate the image of your fingerprint,” Zhang said. “After that you can do whatever you want.”
The researchers said that further testing could possibly show the problem to be widespread though they weren’t yet sure; other Android devices that use fingerprint sensors include the HTC One Max, the Motorola Atrix, the Samsung Galaxy Note 4 and Edge, the Galaxy S6 and the Huawei Ascend Mate 7.
The researchers said that they had notified Samsung of the issue.
Since the flaw isn’t present in Lollipop and newer phones, users would be wise to upgrade ASAP. So far, the firm isn’t aware of any customers that have actually been affected by this attack in the real world.
Fingerprint biometrics for mobile phones have been compromised many times in the past, including Apple’s Touch ID. German hacker group Chaos Computer Club showed that it was possible to spoof a user’s fingerprint by using 3D printing to create a latex model. In that case however, physical access to both user and phone would be required.