New research has been revealed at the Black Hat security conference in Las Vegas, identifying serious security flaws affecting Android devices with finger print sensors.
Researchers Tao Wei and Yulong Zhang discovered serious vulnerabilities in systems which span from popular consumer devices to critical international infrastructure.
The “fingerprint sensor spying attack” — confirmed on the HTC One Max and Samsung’s Galaxy S5 — can remotely harvest fingerprints, allowing a hacker to extract copies of user fingerprint images.
This is possible because device makers don’t fully lock down the sensor, and once an attack is in place, fingerprint data on anyone who uses the sensor can be collected.
Zhang explained, “In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data”.
The sensor on some devices is only guarded by the “system” privilege instead of root, meaning rooting or jail breaking your phone can leave the user at greater risk.
This threat is limited mostly to Android devices with fingerprint sensors, such as Samsung, HTC, and Huawei devices, with Zhang affirming that the iPhone 5s, 6 and 6 plus are “quite secure,” as the Apple devices encrypt fingerprint data from the scanner.
Researchers have warned that these security flaws apply not only to mobile devices but also laptops.
The affected vendors such as Samsung, HTC and Huawei have released patches after being alerted to the threat by researchers have still warned users to keep devices software regularly updated, and only install apps from reliable sources.
The Black Hat conference is part of a series of global information security events held annually in the United States, Europe and Asia which provide a forum for security researchers to share the latest in information security risks, development and trends.