A security research firm discovered in a Android a flaw which let hackers to steal fingerprints copies from the Galaxy S5, and maybe other devices. Samsung is already inspecting the problem, and it will be confirmed this week at the RSA security conference.
Yulong Zhang and Tao Wei from FireEye, discovered a manner to recover identification data from the “trusted zone”, where they have been kept and secured on last year’s Galaxy S5. Their process assures to work on all Android 5.0 Lollipop devices and below.
The major worry is that the attackers don’t need to invade into that trusted zone to collect fingerprint data; they just need to intercept it as it is sent from the fingerprint scanner. It can be made just by installing an application on a device with root access.
If the attacker can break the kernel [the core of the Android operating system], although he cannot access fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time”, Zhang said Forbes.
Every time you touch the fingerprint sensor, the attacker can steal your fingerprint” said Zhang to Forbes.“You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.
Yet, Samsung shouldn’t be the single one company affected by this, if it comes from a flaw in Android. Creators like Huawei, HTC and Motorola have launched devices with built-in fingerprints scanners that could be vulnerable as this.
As long as the attackers can’t have access to the trusted zone, your fingerprint data should be secure if your device is not rooted. Without root access, your fingerprint scanner can’t be accessed by malicious applications.
But, if you root, just be certain you simply install apps from save and trust sources.
FireEye, at the RSA security conference, will reveal it’s discovers.