The decision to integrate biometric detection into consumer electronics may be popular with users and shows the willingness of companies to embrace emerging technologies, but the fundamental reason for such integration boils down to one thing: an attempt to improve security. The data associated with biometric capture extends beyond a simple password or code created by the user. It actually forms part of who that person is as an individual and is quite possibly as personal as it can get, so when things go wrong, as one research company will point out at this week’s RSA, it raises a lot more eyebrows than a simple password breach. According to a new report, a number of Android devices are failing to protect the data of users that is captured through integrated biometric sensors.
Manufacturers of smartphones containing biometric sensors, such as Samsung and Apple, have often taken the opportunity to wax lyrical about the sophistication of how their devices securely handle the data collected by the fingerprint sensor. According to FireEye’s report, that will be presented at this week’s RSA, it is entirely possible for malicious individuals to gain access to that data before it is actually transmitted to the secure enclave on the device.
The Samsung Galaxy S5, along with a host of other unnamed Android devices, have been mentioned in the report as being susceptible to the vulnerability that would only require relatively simple system-level access to get access to the data:
If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored int he trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint, you can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.
According to the individuals behind the report, they have contacted the manufacturers involved in regards to the vulnerability, and are currently waiting to receive an official reply, although a relatively simple email response did suggest that Samsung is “currently investigating FireEye’s claims.”
What are your thoughts on this news? Let us know in the comments section below.