When we have to set lock screen feature on our Smartphone, we usually go with a fingerprint scanner in our Smartphone. We think that the fingerprint scanner is very safe and sound.
However, researchers from FireEye, a security firm, have found a way to break the fingerprints from Android phones such as Samsung Galaxy S5 and HTC One Max.
“Fingerprints last for a life, once leaked; they are leaked for the rest of your life. Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if the attacker can remotely harvest fingerprints in a large scale,” the researchers said in the PDF report.
The research team, which includes Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei, has found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in an open "world readable" folder.
The researchers have provided detail information about the problems of existing designs, including the confused authorization attack that enables malware to bypass pay authorizations protected by fingerprints, insecure fingerprint data storage, fingerprint sensor, and pre embedded fingerprint backdoor.
However, the team reported the flaw to the companies concerned and was patched.
As per the news reports, the research team had also identified another attack that affects other Android phones where malware can circumvent protections in the operating system to access the fingerprint hardware directly.
The researchers have suggested, “To avoid being attacked by malware or being exploited for remote code execution, we suggest normal users to choose mobile device vendors with timely patching/upgrading to the latest version (e.g.'Android'Lollipop), and always keep your device up to date.”