Samsung Galaxy S5 is found by researchers to have a fingerprint flaw. FireEye’s Yulong Zhang and Tao Wei discovered a way to seize biometric information before it reaches a separate and secure area. Fingerprint scanners are regarded as more secured alternatives to passwords.
However, the FireEye researchers discovered that fingerprint data from Android devices can be grabbed before it reaches the protected area. While fingerprint information in the trusted zone is inaccessible, Zhang and Wei told Forbes that this information can be collected. If the kernel is broken, the fingerprint sensor can be directly read and stolen.
The attacker can access the phone, run a software as a root-level user and collect the data from the kernel or core of the operating system. This is done not by going into the trusted zone, but by acquiring user-level access, and run a program as root, which is the lowest access level on smartphones and computers. Once he gets the information, he can monitor the data sent from and to the phone.
Samsung Galaxy S5 is found to have a fingerprint flaw, and according to the researchers, its confidential information only needs system-level access to be retrieved. This flaw in Samsung’s device can be simply fixed through a software update – to Android 5. The pair said the flaw lies in the older Android platforms, up to Android 4.4.
While passwords can be changed anytime, fingerprints cannot be, or user needs to change skin, literally. Thus, having it exposed to possible cloning is very disturbing. Anyone running Lollipop or above are not at risk. Hence, security pundits advised those using the older models to update soonest.
The FireEye team presented these findings in the recent RSA Conference late last week. Prior to the presentation, they have informed the S5 maker of the vulnerability.
Biometrics have been increasing these days in mobile devices, despite some security issues. Apple introduced TouchID and becomes one of the most popular forms of biometrics in the tech market. However, Apple’s current flagship phone, the best-selling iPhone 6 is still found to have some fingerprint flaws too. Mobile security firm Lookout found out last year that the TouchID of Apple’s phone can be tricked, hence, is vulnerable to hacking, just like its siblings.
The major problem is that iPhone’s iTouch fingerprint scanner can be fooled with a cloned fingerprint from a shiny surface recreated with a glue. This is still present, despite the addition of Apple Pay, the secure payment feature of the Cupertino giant. Hackers can abuse the vulnerability more.
The FireEye duo have not tested other devices, but are not claiming all Android devices are vulnerable. They said the flaw is more likely widespread in other Android devices, not just Samsung Galaxy S5.
Samsung Galaxy S5 is found by FireEye researchers to have a fingerprint flaw, just like other mobile devices. Android devices with fingerprint sensors are HTC One Max, Samsung Galaxy Note 4, Samsung Galaxy Note Edge, Motorola Atrix, Huawei Ascend Mate 7 and the new Samsung Galaxy S6. A FireEye spokesperson said that they expect the issue of Samsung Galaxy S5 to be widespread, but are not sure of other devices which they have not tested.
By Judith Aparri
Photo courtesy of Kārlis Dambrāns – Creativecommons Flickr License