Fingerprints Can Be Remotely Stolen From Android Phones

According to a report by ZDNet, FireEye researchers Tao Wei and Yulong Zhang have revealed new ways to attack Android devices, that would allow hackers to steal fingerprint data on a large scale. The research, which is set to be announced at the forthcoming Black Hat conference in Las Vegas, shows that the threat is for now confined mostly to Android devices that have fingerprint sensors, such as Samsung, Huawei, and HTC devices.

Samsung hero

The researchers have noted that by 2019, where it’s speculated that at least 50% of all Android smartphone shipments will have a fingerprint sensor, the threat may become much bigger. 

Of the four attacks outlined by the researchers, one in particular dubbed the “fingerprint sensor spying attack”, can remotely harvest fingerprints in a large scale, Zhang told the source. The attack, which has been confirmed on the HTC One Max and Samsung’s Galaxy S5, allows a hacker to stealthily acquire a fingerprint image from an affected device.

Making matters worse, the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target. (In other words: rooting or jailbreaking your phone can leave you at a greater risk.) Once the attack is in place, the fingerprint sensor can continue to quietly collect fingerprint data on anyone who uses the sensor.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” Zhang said. 

Researcher Zhang specifically highlighted that the iPhone’s Touch ID, which pioneered the modern fingerprint sensor, is “quite secure,” as it encrypts fingerprint data from the scanner.