Hackers Can Remotely Steal Fingerprints From Some Android Devices

Researchers from FireEye have revealed that it is possible to attack Android smartphone to remotely steal user’s fingerprints on a “large scale.” 

Security experts have repeatedly expressed concern about the management of the fingerprint deployed by major mobile service providers. Hackers have proved difficult to implement the vulnerabilities in the systems that manage fingerprints, in order to bypass the authentication mechanisms in April 2015, a group of security researchers have discovered a vulnerability FireEye in the Galaxy Samsung S5 that allows hackers to clone fingerprints.

Now FireEye security experts have discovered four new ways to hack Android devices and remove user fingerprint researchers remotely.The Tao Wei and Zhang Yulong has presented the results of her makeup in a speech titled, mobile devices, digital fingerprints: Abuse and losses in the Black Hat conference last week.

The techniques are very insidious because the victim may not notice the theft of their puzzling researchers fingerprints.The dubbed the attack "attack Espionage fingerprint sensor" and could allow hackers to "fingerprint remote gathered on a large scale the receiver of the main manufacturers such as HTC, Samsung and Huawei.

Experts refused to give any "proof of concept" for Android devices reasons.The attack obvious targets are equipped with fingerprint sensors that allow users to authenticate by simply touching the screen of your smartphone.We note that Google still does not officially support the authentication mechanism based on fingerprint based on its mobile operating system, but the company will soon implement support in the next version of Android M.

The researchers tested their attack on the HTC One Max and Galaxy S5 Samsung's got to steal a fingerprint image of the device due to lack of proper implementation of a locking mechanism for fingerprint sensor.

I explained several times the risks arising from the misapplication of biometric authentication, the theft of biometric data such as fingerprints would be more dangerous compared to the theft of a stolen password.Users committed can reset your password, but can not change their fingerprints or iris in case of a violation of data.

"In this attack, victims of fingerprint data into the hands of the attackers. For the rest of the life of the victim, the attacker can still use the fingerprint data for other harmful things," said Zhang.The The security problem discovered is quite easy to solve, for example by encrypting fingerprint data on Android devices, and a number of vendors are already working on a security update.

The measure has already been adopted by Apple iOS which encrypts the data acquired by the touch sensor ID. The experts explained that Apple's iOS is "fairly certain" because fingerprint scanner encrypts data with an encryption key, making it unreadable, even if hackers have access.