Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal bio-metric data
Experts have discovered a flaw in older versions of the Android system Once a hacker has access to a phone they can monitor data from sensors From this, they can potentially intercept a fingerprint from the scanner Vulnerability has been tested and confirmed on the Samsung Galaxy S5 Fingerprint scanners are often touted as the future of security and an alternative to the notoriously flawed password.
But experts have discovered they may not be as secure as first thought after a number of Android devices, including Samsung’s Galaxy S5, were said to be potentially ‘leaking’ fingerprints.
The security researchers have found a way to intercept a person’s biometric data after it is captured by a built-in scanner, but before it becomes encrypted.
Tao Wei and Yulong Zhang from security firm FireEye are expected to discuss their findings at this week’s RSA conference in San Francisco.
The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.
Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.
The vulnerability means that a hacker can access the kernel, or core, of the Android operating system.
Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.
Typically, when a fingerprint is scanned it is encrypted and separated from the rest of the device in a secure folder.
Hackers can’t get access to this folder even with access to the kernel, but they can collect scans immediately from the fingerprint sensor before they reach this folder.
In addition to using these fingerprints to access the phone, for example, they can be used to make payments with PayPal.
The flaw means that once a hacker has access they can monitor data recorded by built-in sensors, including the fingerprint scanner. When a fingerprint is scanned it is encrypted. Hackers typically can’t access this encrypted file, but the flaw allows them to collect scans from the sensor before being encrypted
During tests, Mr Wei and Mr Zhang confirmed the flaw was present on Samsung Galaxy S5.
They have not yet tested it on other Android smartphones with built-in fingerprint scanners, including the Galaxy Note 4, Note Edge and Huawei Ascend Mate 7.
However, they believe the problem to be ‘more widespread’ than the Galaxy S5 and are planning to put this to the test.
Mr Wei and Mr Zhang said they have alerted Samsung to the issue but not received an update.
Samsung told MailOnline ‘it takes consumer privacy and data security very seriously’ and is currently investigating FireEye’s claims.
Security expert Graham Cluely said: ‘It’s worth remembering that fingerprints are not secrets.
‘Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect.’
This isn’t the first time Samsung’s S5 scanner has been exposed as vulnerable.
In April last year a group of German hackers managed to spoof the scanner using a dummy print.
This situation is made worse by the fact that once a password has been initially used to access PayPal and Samsung phones, the fingerprint can be continually used for access without re-entering the password – even if the phone is rebooted.
Alternatively, on Apple phones a password is required following every reboot.
That doesn’t mean that Apple’s TouchID scanner is without flaws.
It took hackers just two days and a small collection of everyday household items to bypass the fingerprint sensor on an Apple iPhone 5S following its launch in 2013.
Apple’s TouchID isn’t without flaws either. It took hackers just two days and a small collection of everyday household items to bypass the fingerprint sensor (shown) on an Apple iPhone 5S following its launch in 2013
Chaos Computer Club, based in Berlin, took a high-resolution photograph of a fingerprint from the side of a glass.
They then scanned it, before laser printing it onto a transparent sheet and covering it in woodglue. Once the glue had dried, they peeled off the print copy and pressed it on the scanner.
Matt White, senior manager in KPMG’s cyber security practice, told MailOnline: ‘Replacing passwords with biometric alternatives such as fingerprints provides better security, however it doesn’t completely eliminate the risk posed by cyber criminals.
‘The largest hurdle with biometrics going forward will be the establishment of consumer trust.
A fingerprint was photographed using 2400 dpi resolution. The image was inverted and laser printed onto a transparent sheet with a thick toner setting. Hackers then poured woodglue onto the print pattern, pictured top. After it dried, the sheet was lifted and pressed onto the sensor, pictured bottom, to unlock the phone
‘Trying to convince the average person to implant a piece of technology to increase security of their perceived already secure account is a battle unlikely to be won.’
Andy Kemshall, co-founder and technical director at SecurEnvoy added: ‘Biometric authentication is not yet near the level it needs to be for the majority of consumer facing organisations to implement it in their products.
‘Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods.
‘The technology simply isn’t sophisticated enough.
