Fingerprint scanners leaving Android phones vulnerable

Samsung Galaxy S6

Hackers can remotely exploit smartphone fingerprint sensors to access user data, according to research from FireEye

Hackers can exploit vulnerabilities on Android fingerprint scanners to gain access to user data, according to research from security lab FireEye.

Confusion in the scanner authorisation protocols allow hackers to install malware that can be used to bypass payment security services, FireEye researchers Tao Wei and Yulong Zhang told the BlackHat hacking conference in Las Vegas.

The researchers said the vulnerabilities are dangerous as they could be used by hackers for other schemes, including identity theft.

“Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities,” the researchers explained. “Thus, the leakage of fingerprints is irredeemable. It will be even a disaster if the attackers can remotely harvest fingerprints in a large scale.”

The attacks were tested on HTC One Max and Samsung Galaxy S5 handsets, but the researchers claim they would work on “most” Android smartphones with fingerprint scanners. iPhones with TouchID are not affected by the flaws.

Only a few manufacturers have included biometric fingerprint scanners on their smartphones so far, but this is set to increase as Google announced plans to integrate scanner-related software into the next version of its OS, codenamed Android M.

This is ahead of plans to expand Google’s payment services, Android Pay, across more devices.

Samsung is also launching a payments service that utilises the biometric fingerprint scanner on its top-end range of devices. It recently announced a partnership with MasterCard to bring Samsung Pay to Europe.

“Mobile device vendors should improve the security design of the fingerprint authorisation framework with improved recognition algorithm against fake fingerprint attacks, and better protection of both fingerprint data and the scanning sensor,” the researchers explained in a paper written about the exploit.

“To avoid being attacked by malware or being exploited for remote code execution, we suggest normal users to choose mobile device vendors with timely patching/upgrading to the latest version, and always keep your device up to date.

“Also, it is always a good practice to install popular apps from reliable sources.”