At the Black Hat USA conference earlier this week, researchers from the FireEye cybersecurity firm revealed newly discovered ways hackers could attack Android devices in order to steal users' fingerprints.
For at least a year now, biometric identifiers (often including fingerprint scanners) have been promoted as the next big advance in personal security. Apple offered fingerprint scanners as an option on its iPhone 5S, and again on the iPhone6.
Earlier this summer, when Microsoft started advance publicity about various features and options which the not-yet-released Windows 10 would have, those options included possible biometric security features based on either facial recognition, iris-scan, or fingerprint-scanning sensors.
The security benefit of biometric recognition systems is that they're supposed to be harder for thieves to fake: stealing and copying your unique fingerprint is far more difficult than stealing and copying your Social Security or bank account numbers, passwords, or other presumably confidential data.
Yet there's also a downside: if a thief steals your bank or credit-card account numbers, alerting your bank and changing your account and password info is relatively easy. But what can you do if a thief steals and learns how to forge the fingerprints which have been uniquely yours since birth?
Such theft is possible, and FireEye researchers Tao Wei and Yulong Zhang uncovered a way to steal such data from Android devices. Actually, they uncovered four ways to do it, but the worst, as Zhang told ZDNet, is a “fingerprint sensor spying attack” which can “remotely harvest fingerprints on a large scale.”
The attack takes advantage of a security weakness in Android fingerprint sensors found on certain devices – namely, the sensors aren't fully locked down. The researchers pulled off confirmed attacks on a Samsung Galaxy S5 and HTC One Max.
Zhang said that “In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things.”
ZDNet noted that “The researchers did not comment on which vendor is more secure than others." However, the article goes on to say that Zhang "noted that Apple's iPhone, which pioneered the modern fingerprint sensor, is 'quite secure,' as it encrypts fingerprint data from the scanner.” Even if an attacker manages to steal such data, it's unreadable without the encryption key.
Android device owners with fingerprint scanners should make sure to regularly update their devices (patches have already been issued for the vulnerability highlighted by FireEye), and only install apps from approved, reliable sources.