The Samsung Galaxy S5's fingerprint reader security vulnerabilities were well documented over a year ago. But if you were hoping the world’s most popular Android device manufacturer had mended its exposure to easy hacks since then, recent Black Hat revelations will come as a disappointing surprise.
During the esteemed and anxiety-inducing security convention, FireEye researchers Tao Wei and Yulong Zhang presented a summary of known issues pertaining to mobile devices capable of recognizing fingerprints.
The Galaxy S5 and HTC One Max in particular fared poorly; both were vulnerable to a "fingerprint sensor spying attack" that could remotely lift prints from the phones because neither manufacturer fully lock down the sensor.
As the report points out, “the leakage of fingerprints is irredeemable”, so once hacked the target might lose control of passwords, personal data and, most vexing of all, mobile payment access for good. A seasoned cyber-criminal can also carefully cover their tracks so as to loot fingerprints from several smartphone users over a period of time.
Samsung, HTC and Huawei are now aware of the flaw and have already begun updating their software. Meanwhile, Apple's Touch ID sensor was deemed "far more secure" as it encrypts fingerprint data from the scanner.
"Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image," Zhang noted.
Hopefully, Google will take a page from Apple’s playbook when wrapping up Android M, the platform’s first build endowed with native fingerprint capabilities.