Hackers can remotely steal your identity using Android fingerprint scanners
AP Images
The vulnerabilities were reported by FireEye researchers Tao Wei and Yulong Zhang during a keynote at the Blackhat hacking conference in Las Vegas.
The security problems relate to the way devices handle and manage the biometric data being used by the scanners.
According to the keynote summary the flaws are the result of:
- Confusions in the scanner authorisation processes that could let hackers install malware and bypass payment services fingerprint security features.
- Trust zone design flaws in the fingerprint sensor that allow spying attacks to remotely harvest users' fingerprints.
- Pre-embedded fingerprint backdoors that can be used to hijack mobile payments protected by fingerprints and collect data on the smartphone's user.
The researchers said the attacks are dangerous as they could be used by hackers for a variety of follow-on schemes, including identity theft.
"Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities. Thus, the leakage of fingerprints is irredeemable," read the researcher's statement.
Apple iPhones with TouchID fingerprint scanners are not affected by the flaws.
The attacks were tested on the HTC One Max and Samsung's Galaxy S5, though the researchers say they will work on "most" Android smartphones with fingerprint scanners.
The number of affected Android devices remains quite limited as to date few smartphone vendors outside of Samsung, Huawei and HTC have added fingerprint scanners to their handsets. However, the number of Android smartphones with fingerprint sensors is set to increase. Google announced it would build fingerprint scanner support directly into to the new version of Android, currently codenamed Android M, it is set to release later this year at its I/O developer conference.
The in-built support will make it easier for technology firms to add fingerprint scanners to smartphones.
Tao and Yulong called on smartphone vendors to take a number of steps to improve fingerprint scanners' security in an accompanying Fingerprints On Mobile Devices: Abusing and Leaking research paper.
"Mobile device vendors should improve the security design of the fingerprint authorisation framework with improved recognition algorithm against fake fingerprint attacks, and better protection of both fingerprint data and the scanning sensor," read the paper.
In the interim, the researchers take basic measures to protect themselves from attack.
"To avoid being attacked by malware or being exploited for remote code execution, we suggest normal users to choose mobile device vendors with timely patching/upgrading to the latest version, and always keep your device up to date," read the paper.
"Also, it is always a good practice to install popular apps from reliable sources."
- I spent 2 weeks in India. A highlight was visiting a small mountain town so beautiful it didn't seem real.
- I quit McKinsey after 1.5 years. I was making over $200k but my mental health was shattered.
- Some Tesla factory workers realized they were laid off when security scanned their badges and sent them back on shuttles, sources say
- Stock markets stage strong rebound after 4 days of slump; Sensex rallies 599 pts
- Sustainable Transportation Alternatives
- 10 Foods you should avoid eating when in stress
- 8 Lesser-known places to visit near Nainital
- World Liver Day 2024: 10 Foods that are necessary for a healthy liver