Researchers: Hackers Can Remotely Swipe Fingerprints from Android Devices
FireEye researchers have uncovered a new vulnerability with Android devices, in which hackers can remotely steal fingerprints to gain unauthorized access to a user’s phone and data.
Security researchers have discovered that hackers can remotely extract user fingerprints to attack Android devices.
Today, most hackers lift fingerprints off the side of an Android phone to gain unauthorized access to a user’s phone and data, The Hacker News reports.
Dubbed the “Fingerprint Sensor Spying attack” by FireEye researchers Tao Wei and Yulong Zhang, the attack is limited mostly to Android devices with fingerprint sensors that help users to authenticate their identity by touching their phone’s screen, instead of entering a passcode.
The vulnerability affects mobile phones by major manufacturers such as Samsung, HTC and Huawei.
The researchers confirmed the attack on the HTC One Max and Samsung Galaxy S5. The duo, who presented at the Black Hat conference in Las Vegas, noted that the mobile devices allowed them to covertly obtain a fingerprint image because vendors don’t lock down fingerprint sensors well enough.
“In this attack, victims’ fingerprint data directly fall into attacker’s hand,” Zhang said during the Black Hat conference presentation.” For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things.”
Although the researchers have not shared any “proof-of-concept” detailing how the attack can be executed remotely, they did share some good news. The problem can be easily fixed by adding encryption to the fingerprint data on Android devices.
Affected vendors have since released patches after being alerted of the vulnerability.
However, users need to be aware that Google has yet to officially support fingerprints in its mobile operating system. The company plans to support fingerprint sensors with the Android M update.
As for Apple users, it appears that the iPhone and iPad’s Touch ID is secure because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access, The Hacker News reports.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!