Researchers have found major security vulnerabilities in the Android smartphones that come with fingerprint scanners. Security firm FireEye's researchers have devised four different attacks that could extract user fingerprints from Android smartphones, and claim the technology is more vulnerable than Touch ID implemented by Apple.
FireEye researchers Tao Wei and Yulong Zhang have revealed major vulnerabilities in fingerprint scanner-powered Android smartphones. One such attack is "fingerprint sensor spying" which can "remotely harvest fingerprints in a large scale," the researchers told ZDNet.
Smartphones like the HTC One Max and Samsung's Galaxy S5 that sport a fingerprint scanner don't fully lock down the sensor, the researchers note. The sensor in these phones are protected by only "system" level privilege instead of "root", making it easier for an attacker to find a workaround. The affected vendors were notified, and have since provided patches for the issue.
It wasn't very long ago when Android smartphone manufacturers started to add fingerprint sensors on their handsets. The technology which is largely similar to iPhone and iPad's Touch ID, makes it easier to unlock a smartphone. Zhang however says the iPhone Touch ID sensor is "quite secure" since it encrypts the fingerprint data it gleans from the sensor. He added, "Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image."
Any vulnerability in the fingerprint scanners is crucial because of their nature of operating with sensitive details. The fingerprint sensors - in addition to unlocking a screen and enabling users to quickly login to their accounts - have also been used for authentication in mobile wallets and banking features. If the data gets in the wrong hands, it could leave devastating results on the victim.
This isn't the first time a vulnerability has been found in the fingerprint scanner of an Android smartphone. Last year, a German firm named H Security had found a way to fool the Galaxy S5's sensors to get access to it using a "dummy" finger.
Earlier this year, Wei and Zhang had found another vulnerability in the same Samsung flagship smartphone. The handset encrypts the data and stores it into a secure zone, however, researchers had found a way to create a copy of the data before it could store and lock down the information.