FireEye: Android Fingerprint Data Is Ripe For Remote Theft
It's estimated that half of all smartphone shipments will have a fingerprint scanner within the next four years. Many smartphone owners already use them, whether it's for unlocking a device or making a mobile payment. That's great for convenience -- it beats having to bang out a hard-to-guess password -- but as far as security is concerned, current implementations on Android leave a lot to be desired.
FireEye researchers Tao Wei and Yulong Zhang plan to present new research at the Black Hat conference in Las Vegas next week that details ways hackers can extract fingerprint scans from Android devices. What's particularly sobering about the research is that it's not confined to just a single method, but several different ways of accomplishing the same thing.
That said, one in particular is a little more worrisome than the rest. It's called a fingerprint sensor spying attack, a method that allows an attacker to "remotely harvest fingerprints in a large scale," the researchers told ZDNet. So far it's been confirmed to work on the HTC One Max and Samsung Galaxy S5, both of which fail to fully lock down the fingerprint scanner.
" Without the proper lock-down, the attacker from normal world can directly read the fingerprint sensor," the researchers note in their report (PDF). "Note that attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim's fingers. This also indicates that attackers with remote code execution exploits can remotely harvest everyone's fingerprints in a large scale, without being noticed."
The other sobering thing about fingerprint scanning is that once your fingerprint is compromised, it will always remain that way. Unlike passwords and PINs, which can be changed, your fingerprint stays with you forever.
This may not be a huge issue now, but as fingerprint scanning becomes more common and used more frequently, we'll become increasingly vulnerable. That's the bad news. The good news is, it's fixable. Apple's iPhone devices, for example, are more secure than Android devices in this regard, in part because they encrypt fingerprint data from the scanner. Even if an attacker can directly read the sensor, he or she won't be able to extract a fingerprint image without a crypto key.
FireEye researchers Tao Wei and Yulong Zhang plan to present new research at the Black Hat conference in Las Vegas next week that details ways hackers can extract fingerprint scans from Android devices. What's particularly sobering about the research is that it's not confined to just a single method, but several different ways of accomplishing the same thing.
That said, one in particular is a little more worrisome than the rest. It's called a fingerprint sensor spying attack, a method that allows an attacker to "remotely harvest fingerprints in a large scale," the researchers told ZDNet. So far it's been confirmed to work on the HTC One Max and Samsung Galaxy S5, both of which fail to fully lock down the fingerprint scanner.
" Without the proper lock-down, the attacker from normal world can directly read the fingerprint sensor," the researchers note in their report (PDF). "Note that attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim's fingers. This also indicates that attackers with remote code execution exploits can remotely harvest everyone's fingerprints in a large scale, without being noticed."
The other sobering thing about fingerprint scanning is that once your fingerprint is compromised, it will always remain that way. Unlike passwords and PINs, which can be changed, your fingerprint stays with you forever.
This may not be a huge issue now, but as fingerprint scanning becomes more common and used more frequently, we'll become increasingly vulnerable. That's the bad news. The good news is, it's fixable. Apple's iPhone devices, for example, are more secure than Android devices in this regard, in part because they encrypt fingerprint data from the scanner. Even if an attacker can directly read the sensor, he or she won't be able to extract a fingerprint image without a crypto key.
