Biometric detection is all the rage within mobile devices at the moment. The inclusion of Touch ID on Apple’s iPhone 5s sparked a mass scramble for competing manufacturers to be in a position to roll their own fingerprint solution with their wares. Samsung followed in closely behind Apple with its fingerprint sensors, and it’s now something that we almost expect to form part of a device’s technical DNA. This type of authentication will inevitably bring with it a whole heap of security related questions and concerns, some of which have been exposed and exploited at the Black Hat Security Conference in Las Vegas.
It turns out that if you’re an Android user regularly interacting with a biometric detection pad on your chosen device then your fingerprints may not be as secure as the manufacturer will have you believe. FireEye researchers Tao Wei and Yulong Zhang have presented their findings at the Black Hat Security Conference, and also spoken in-depth about the possible ways that malicious individuals could potentially attack a vulnerable Android device to gain access to an unwitting user’s stored fingerprints data.
FireEye’s researchers used the annual conference to discuss and present four different available attacks that remain possible on Android devices carrying a fingerprint reader. One of the most dangerous attacks, called the “fingerprint sensor spying attack”, is particularly nasty as it affords those with malicious intent, the ability to “remotely harvest fingerprints in a large scale”, as outlined by ZDNet. This particular method of extraction has been confirmed to work on the HTC One Max as well as Samsung’s Galaxy S5, both of which are extremely popular Android smartphones.
It seems that the underlying root of the issue is caused by the fact that the manufacturers and engineers behind the affected devices simply haven’t done enough to safeguard the fingerprint detection systems that exist within the device. Unlike Apple’s Touch ID, which only provides access to stored fingerprint details on presentation of a crypt key, installations on Android devices seem to distribute the data freely to those with a higher level system privilege.
The good news though, is that those vendors which have been known to be affected by the research, have issued patches in an attempt to remove the vulnerabilities. The better news is that Zhang described Apple’s iPhone and Touch ID implementation as being “quite secure”. Praise indeed given the topic of discussion.