Android devices are easy targets for hacking fingerprints
And, as biometrics skeptics like to point out whenever such vulnerabilities are discovered, fingerprints, unlike passwords, can not be changed once compromised. Potentially worse is the fact that hackers are able to take an actual fingerprint from an Android sensor, which could lead to all kinds of mess of course, such as identity theft.
FireEye researchers have devised four different attacks that could extract user fingerprints from Android smartphones, and claim the technology is more vulnerable than Touch ID implemented by Apple. In any case, there are far fewer Android handsets that now have fingerprint sensors than iPhones – which are broadly considered more secure because it encrypts fingerprint data.
Samsung, HTC and Huawei are now aware of the flaw and have already begun updating their software. The Black Hat conference is part of a series of global information security events held annually in the United States, Europe and Asia which provide a forum for security researchers to share the latest in information security risks, development and trends.
By 2019, it is believed that at least half of all smartphone shipments will have a fingerprint sensor, which is where the real issue lies. The duo stressed that a particular attack that they called the “fingerprint sensor spying attack” harvested fingerprints in large scale.
As a result, the sensor in these devices are protected by only “system” level privilege instead of “root”, which makes it easier for would-be attackers to find a workaround.
The affected vendors have been provided with patches for the loophole and customers have been advised to update their devices.
“Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image”, Zhang said.