The report comes a few months after FireEye discussed another flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other Android smartphones which allow hackers to duplicate the user’s fingerprints.
Advertisement
The attack primarily affects Android devices that have fingerprint sensors, which enable users to authenticate their identity by touch instead of by passcode.
The threat is for now confined mostly to Android devices that have fingerprint sensors, such as Samsung, Huawei, and HTC devices, which by volume remains low compared to iPhone shipments. The Black Hat conference is part of a series of global information security events held annually in the United States, Europe and Asia which provide a forum for security researchers to share the latest in information security risks, development and trends.
The researchers reproduced the attack method on HTC One Max and Samsung Galaxy S5 as device makers don’t lock down the fingerprint sensor completely. Tao Wei and Yulong Zhang, researchers at FireEye said there are new ways to hack Android devices and get the fingerprints.
Samsung, HTC and Huawei are now aware of the flaw and have already begun updating their software. The researchers warned that numerous attacks they note in their talk also apply to high-end laptops with fingerprint sensors. “For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things”, Zhang said.
The affected vendors have been provided with patches for the loophole and customers have been advised to update their devices.
Advertisement
While the sensor on the Android smartphone do not protect the fingerprint data enough, Apple’s Touch ID doesn’t give out the data without a crypto key even if an attacker has direct access to the fingerprint sensor.
