Hackers stealing fingerprint data a real danger, say researchers

7 Aug 2015

Android devices are susceptible to attacks that enable hackers to extract fingerprints, according to research revealed by FireEye’s Tao Wei and Yulong Zhang at the Black Hat conference in Las Vegas.

The attacks – which were confirmed on the HTC One Max and the Samsung Galaxy S5 – are confined to Android devices with fingerprint sensors.

This subset of devices is currently fairly slight, with Huawei, Samsung and HTC the main smartphone providers with skin in that particular game.

While this may sound reassuring, that’s only temporary. It is believed that more than 50pc of smartphones will ship with fingerprint sensors by 2019.

The vulnerability is believed to stem from the fact that device makers don’t fully lock down the sensors.

In fact, some sensors are guarded only by system privileges, meaning that jail-broken phones are even more at risk.

And it’s not just mobile devices that are open to attack. High-end laptops with fingerprint scanners have the same vulnerabilities, according to Wei and Zhang’s research.

Of course, the real concern about attacks like this has little to do with mobile security – it’s the real-world consequences.

A fingerprint, once stolen, cannot simply be changed, allowing hackers and criminals to trade on a person’s identity for decades.

For fans of Apple’s Touch ID – available on the iPhone 5S and later, and the iPad Air 2 and iPad Mini 3 – there’s no need to worry, however.

The researchers, speaking with ZDNet, remark that iOS is “quite secure”, with encryption software ensuring that, even if they could access fingerprint data, hackers would be unable to get a fingerprint image without also having the crypto key.

Patches have been provided by affected Android vendors since being alerted to the vulnerability.

Main image, via Shutterstock

Kirsty Tobin was careers editor at Silicon Republic