Android Fingerprint Scanners Open to Mobile Payment Hacks

ZD Net reports that FireEye researchers Tao Wei and Yulong Zhang are set to speak at the Black Hat hacking conference in Las Vegas and outline how hackers could conceivably run code that will silently read fingerprints from the reader and send them back to the hackers. From connected devices to authentication systems, fingerprint hack could lead to an identity theft. In any case, there are far fewer Android handsets that now have fingerprint sensors than iPhones – which are broadly considered more secure because it encrypts fingerprint data. Looks like that time has come although mostly for Android devices.

Android users, however, are not so lucky: The researchers detected four methods of attack, the most disconcerting of which could remotely hack the sensor and steal any fingerprint that it encounters. Affected phones include models made by Samsung, HTC, and Huawei.

By 2019, industry watchers predict that more than half of smartphones will have fingerprint sensors-which means phone makers must improve their device security.

The researchers noted that smartphones like the HTC One Max and Samsung’s Galaxy S5 that sport a fingerprint scanner don’t fully lock down the sensor and it is protected by only “system” level privilege instead of “root”, making it easier for an attacker to find a workaround. “For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things”, Zhang said.

Hardware manufacturers vulnerable to the latest “fingerprint sensor spying attack” were notified and have since provided patches, the ZDNet report states.

In comparison, the duo lauded the TouchID scanner on the iPhone and said that it was “quite secure”.