Hackers are able to take copies of fingerprints recorded on the Samsung Galaxy S5 smartphone, according to security researchers.
Experts from FireEye, the security firm, claim to have found a flaw within Android which allows for the personal security information to be stolen and then used externally. Samsung is investigating the claims and said “it takes consumer privacy and data security very seriously”.
Yulong Zhang and Tao Wei conducted tests where they managed to find a way to intercept the biometric data, in the time between the built-in scanner capturing it, and before it reached the ‘secure zone’ on the phones, where it became encrypted. This information could then be used to reconstruct the fingerprint, which could be used in another location.
Mr Zhang said: “If the attacker can break the kernel [the phone’s core], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time.”
“Every time you touch the fingerprint sensor, the attackers can steal your fingerprint. You can get the data, and from the data you can generate the image of your fingerprint. After that you can do whatever you want,” he continued.
Fingerprint scanners are sometimes used on tablets and mobiles to authorise payments, such as when using PayPal. It is therefore very important to be aware of the protection and precautions you should have in place, and to be aware that fingerprint scanners are not always 100 per cent secure.
“It’s worth remembering that fingerprints are not secrets. Relying on your fingerprints to secure a device may be okay for casual security, but you shouldn’t depend upon it if you have sensitive data you wish to protect,” said Graham Cluely, a security expert.
Mr Zhang informed Forbes magazine that updating from Android 5.0, or older versions, should remove the vulnerabilities.