HTC and Samsung’s Fingerprint Scanner Hacked!!!

The fingerprint scanner has raised questions since its first integration into the modern smartphone: is it secure, is it reliable, who will have access to my fingerprints?

Besides a number of external ways to fool a scanner, researchers at FireEye, a security company, found an internal vulnerability in phones like the HTC One Max and Samsung Galaxy S5 that left fingerprint images vulnerable to being copied by hackers or malware. The vulnerability has since been fixed on all phones that the researchers found to be affected, although it's unclear how the patch was applied.

"THE THEFT OF A BIOMETRIC DATA LIKE FINGERPRINTS WOULD BE MORE DANGEROUS COMPARED THE THEFT OF A STOLEN PASSWORD"

The researchers Tao Wei and Yulong Zhang presented the findings of their hack in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference last week. The techniques are very insidious because the victim will never notice the disconcerting theft of its fingerprints.

The researchers dubbed the attack “Fingerprint Sensor Spying attack” and it could allow attackers to “remotely harvest fingerprints in a large scale from the handset of the major manufacturers including HTC, Samsung and Huawei.

The experts avoided to release  any “proof-of-concept” for obvious reasons. The targets of the attack are Android devices equipped with Fingerprint Sensors that allow users to authenticate themselves by simply touching the display of their smartphone. Let’s note that Google doesn’t yet officially support the authentication mechanism based on fingerprints based on its mobile operating system, but the company will soon implement the support in the next release Android M.

The researchers tested their attack on the HTC One Max and Samsung’s Galaxy S5, the succeeded to steal a fingerprint image from the device due to the lack of a proper implementation of a locking mechanism for the fingerprint sensor.

 

 Users can reset their compromised password, but cannot change fingerprints neither the iris in the case of data breach. The discovered security issue is quite easy to fix, for example by encrypting fingerprint data on Android devices, and a number of vendors are already working on a security update.

The measure is already adopted by Apple iOS that encrypts data acquired by the Touch ID sensor. The experts explained that Apple iOS is “quite secure” because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.