Hackers can remotely steal fingerprints from Android devices

Researchers from FireEye have revealed that it is possible to attack Android smartphone to remotely steal user’s fingerprints on a “large scale.”

Security experts have often expressed concerns regarding the fingerprint management implemented by the principal mobile vendors. Hackers have demonstrated that it is not difficult to trigger vulnerabilities inside systems that manage fingerprints in order to bypass authentication mechanisms, in April 2015 a group of security researchers at FireEye have discovered a vulnerability in the Samsung Galaxy S5 that allows hackers to clone fingerprints.

Now security experts from FireEye have discovered four new methods to hack Android devices and extract user fingerprints remotely.

The researchers Tao Wei and Yulong Zhang presented the findings of their hack in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference last week.

The techniques are very insidious because the victim will never notice the disconcerting theft of its fingerprints.

The researchers dubbed the attack “Fingerprint Sensor Spying attack” and it could allow attackers to “remotely harvest fingerprints in a large scale from the handset of the major manufacturers including HTC, Samsung and Huawei.

The experts avoided to release  any “proof-of-concept” for obvious reason.
The targets of the attack are Android devices equipped with Fingerprint Sensors that allow users to authenticate themselves by simply touching the display of their smartphone.

Let’s note that Google doesn’t yet officially support the authentication mechanism based on fingerprints based on its mobile operating system, but the company will soon implement the support in the next release Android M.

The researchers tested their attack on the HTC One Max and Samsung’s Galaxy S5, the succeeded to steal a fingerprint image from the device due to the lack of a proper implementation of a locking mechanism for the fingerprint sensor.

I have explained several times the risks related to a wrong implementation of biometric authentication, the theft of a biometric data like fingerprints would be more dangerous compared the theft of a stolen password.

Users can reset their compromised password, but cannot change fingerprints neither the iris in the case of data breach.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” said Zhang.

Fortunately, the security issue is quite easy to fix, for example by encrypting fingerprint data on Android devices, and a number of vendors are already working to a security update.

The measure is already adopted by Apple iOS that encrypts data acquired by the Touch ID sensor. The experts explained that Apple iOS is “quite secure” because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.

Pierluigi Paganini

(Security Affairs – Android, fingerprints)