Over a year ago I wrote an article on The Hacker News that warned of serious security concerns created by the iPhone and Android's Fingerprint authentication.
Till now hackers were impersonated simply by lifting prints off the side of a phone and gaining unauthorized access to user's phone and thus data.
However, security researchers have now discovered four new ways to attack Android devices to extract user fingerprints remotely without letting the user know about it.
The attack, which the researchers dubbed the "Fingerprint Sensor Spying attack," could be used by hackers to "remotely harvest fingerprints in a large scale," Yulong Zhang, one of the researchers told ZDNet.
Remotely Hacking Android Fingerprints
FireEye researchers Tao Wei and Yulong Zhang presented their research in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference in Las Vegas on Wednesday, where they outlined new ways to attack Android devices in an effort to extract user fingerprints.
The new attack is limited mostly to Android devices with Fingerprint Sensors that helps the user to authenticate their identity by simply touching their phone's screen, instead of by entering a passcode.
Researchers confirmed the attack on the HTC One Max and Samsung's Galaxy S5, which allowed them to stealthily obtain a fingerprint image from the device because vendors don't lock down fingerprint sensors well enough.
The attack affects mobile phones by major manufacturers including handsets delivered by Samsung, HTC, and Huawei.
Fingerprints vs. Passwords
If we give a thought, then stolen fingerprints would be an even worse scenario than stolen passwords because you can change your passwords when breached but not just replace your fingerprints.
"In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," said Zhang.
The good news is that the issue is relatively easy to fix by adding encryption to the fingerprint data on Android devices, and affected vendors have since released patches after being alerted by the researchers.
Researchers have not shared any "proof-of-concept" detailing exactly how the fingerprint stealing attack can be executed remotely.
Researchers have not shared any "proof-of-concept" detailing exactly how the fingerprint stealing attack can be executed remotely.
Meanwhile Apple users can just sit and relax, as it appears that iPhone and iPad's Touch ID is "quite secure" because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.
Users need to note that Google doesn't yet officially support fingerprints in its mobile operating system, but it will soon do support fingerprint sensors with the Android M update.