Hackers can remotely steal your identity using Android fingerprint scanners
The vulnerabilities were reported by FireEye researchers Tao Wei and Yulong Zhang during a keynote at the Blackhat hacking conference in Las Vegas.
The security problems relate to the way devices handle and manage the biometric data being used by the scanners.
According to the keynote summary the flaws are the result of:
- Confusions in the scanner authorisation processes that could let hackers install malware and bypass payment services fingerprint security features.
- Trust zone design flaws in the fingerprint sensor that allow spying attacks to remotely harvest users' fingerprints.
- Pre-embedded fingerprint backdoors that can be used to hijack mobile payments protected by fingerprints and collect data on the smartphone's user.
The researchers said the attacks are dangerous as they could be used by hackers for a variety of follow-on schemes, including identity theft.
"Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities. Thus, the leakage of fingerprints is irredeemable," read the researcher's statement.
Apple iPhones with TouchID fingerprint scanners are not affected by the flaws.
The attacks were tested on the HTC One Max and Samsung's Galaxy S5, though the researchers say they will work on "most" Android smartphones with fingerprint scanners.
The number of affected Android devices remains quite limited as to date few smartphone vendors outside of Samsung, Huawei and HTC have added fingerprint scanners to their handsets. However, the number of Android smartphones with fingerprint sensors is set to increase. Google announced it would build fingerprint scanner support directly into to the new version of Android, currently codenamed Android M, it is set to release later this year at its I/O developer conference.
The in-built support will make it easier for technology firms to add fingerprint scanners to smartphones.
Tao and Yulong called on smartphone vendors to take a number of steps to improve fingerprint scanners' security in an accompanying Fingerprints On Mobile Devices: Abusing and Leaking research paper.
"Mobile device vendors should improve the security design of the fingerprint authorisation framework with improved recognition algorithm against fake fingerprint attacks, and better protection of both fingerprint data and the scanning sensor," read the paper.
In the interim, the researchers take basic measures to protect themselves from attack.
"To avoid being attacked by malware or being exploited for remote code execution, we suggest normal users to choose mobile device vendors with timely patching/upgrading to the latest version, and always keep your device up to date," read the paper.
"Also, it is always a good practice to install popular apps from reliable sources."