Fingerprints have been presented as a more secure alternative to standard passwords, but what if those prints can be stolen? Security company FireEye suggests hackers can access and steal fingerprints without anyone noticing.
FireEye researchers Tao Wei and Yulong Zhang presented potential threats to fingerprints on mobile devices at the Black Hat conference in Las Vegas on Wednesday. According to their findings, Android devices with fingerprint sensors are most vulnerable to a variety of attacks.
The most dangerous and wide-reaching threat can remotely rake in fingerprints en masse, and can go almost entirely undetected. Because some smartphone manufacturers have not taken steps to fully protect the fingerprint information on the device, hackers can access and take the fingerprint image stored on board.
On some devices, the fingerprint sensor is protected only by system privilege instead of root, leaving rooted phones at a greater risk. In this case, the attacker can continuously access the data collected by the fingerprint sensor and put it to use for malicious purposes.
The attack was confirmed to work on HTC‘s One Max and Samsung‘s Galaxy S5, two of the more popular flagship phones that feature the fingerprint sensor. FireEye’s researchers have alerted the manufacturers of the vulnerabilities and patches for the problems have been issued.
While the risk is primarily on mobile, some high-end computers with fingerprint sensors could also fall victim to similar strategies.
The one device that is considerably more secure when it comes to fingerprints: the iPhone. Researchers said Apple has taken extra steps to lock down information from the sensor by encrypting the data gathered by the scanner.