|Photo Courtesy: Mobilesyrup website|
Tao Wei and Yulong Zhang, researchers at FireEye, a security firm, said that even though there is a separate secure enclave for the information on the phone, it is possible to grab the biometric data before it reaches that safe area which allows hackers to copy people’s fingerprints for further attacks.
Wei and Zhang, who conducted research on Galaxy S5 including other unnamed Android devices, will be presenting their findings at the RSA conference on April 24.
The researchers said that in order to clone the fingerprints, the hackers don’t have to break the protected zone where the data is stored. They just have to collect data from the device’s fingerprint sensor.
According to them, any hacker can easily clone fingerprints from the phone sets. They have to get user-level access and run a program as root. They wouldn’t need to go deeper on Samsung Galaxy S5 because the malware needs only system-level access.
And once the hackers break the operating system of the phone, they can easily read the fingerprint sensor. Then, the hackers get the data from which they can generate an image of fingerprint. After that, those hackers can do whatever they want.
After finding the flaw on the phone, the researchers had contacted Samsung. However, they did not get any updates or measures to fix the vulnerability from the company.
They said that it is better to update Android version in order to get protected from this vulnerability because it is not resident on Android 5.0 or later versions.
"Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” said a spokesperson for Samsung via email to Forbes.
Although, there are various security concerns about biometric, it is going to be the primary form of authentication on mobile phones.
It is said that Microsoft is testing out a range of biometric options for its upcoming Windows 10 operating system.
However, Wei and Zhang said they only tested Android devices as of now.
They said that not all of the Android phones below 5.0 with fingerprint authentication were affected but this vulnerability is likely to spread among other phone companies as well. Like HTC One Max, Motorola Atrix, Samsung Galaxy Note 4 and Edge, Galaxy S6, and Huawei Ascend Mate 7.
“We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure,” the FireEye spokesperson said in an email to Forbes.