Samsung Galaxy S5 and other ‘unnamed Android devices’ could leak user fingerprints to hackers that can clone them.
According to security experts at FireEye, although Samsung implements encryption mechanism to protect user fingerprints archived on the mobile phone, an attacker can steal them just before they are encrypted.
Smartphones acquire the user fingerprints in order to authenticate it, the scanned print is then compared against a copy held by the ARM TrustZone technology.
When the user presses his finger against the device, the TrustZone code accesses the sensor, checks the scanned print and then provide the result of the comparison back to the OS. The TrustZone code is the unique one that could read data from the sensor.
The attacker can then steal the fingerprints, clone and use them impersonate the victim against other authentication services that use his fingerprints.
The researchers highlighted that any hacker with user-level access that can run programs as root could steal fingerprints from the mobile device. The situation is easier for Samsung Galaxy S5 on which a malware would only require system-level access.
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Yulong Zhang, one of the researchers, explained, to Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
The good news it fixed for mobile devices running Android 5.0 Lollipop and higher, for this reason the experts urge users to update their mobile for the last release of the Google OS.
Samsung confirmed that is investigating on the flaw in order to protect its customers.
“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.” confirmed a Samsun spokesperson.
The discovery made by the experts is the last problem in order of time for fingerprint scanner that equip popular mobile devices.
Last year a team of experts discovered that was possible to bypass the Samsung Galaxy S5 fingerprint scanner by using ‘crude fake fingerprint’ modeled from wood glue and captures with a photo.
The researchers Zhang and Wei presented their findings at the RSA, you can find the slides here.
(Security Affairs – Samsung S5, fingerprints)