The Samsung Galaxy S5 and other ‘unnamed Android devices’ are vulnerable to having the fingerprints they use for authentication cloned by hackers, reports Gizmodo.
According to researchers from FireEye, although Samsung takes steps to encrypt prints stored on the phone, they can be hijacked before they reach the encryption phase. This would allow fingerprints to be cloned and used to break other biometric authentication methods that use your fingerprints, Planet Biometrics explains.
The researchers explained that while any hacker with user-level access with the ability to run programs at root could collect fingerprint information on affected Android handsets, the Samsung Galaxy S5 is simpler, as malware would only require system-level access.
Speaking to Forbes, Yulong Zhang, one of the researchers, explained, “If the attacker can break the kernel, although he cannot access the fingerprint data stored int he trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
The exploit is fixed in handsets running Android 5.0 Lollipop and higher, so users are advised to update their system as soon as the new version of Android comes available.
A Samsung spokesperson told Forbes that they are currently looking into the vulnerability, stating, “Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.”
Last year it was revealed that the Samsung Galaxy S5 fingerprint scanner could be bypassed with a ‘crude fake fingerprint’ modeled from wood glue and using a photo, as reported by We Live Security here.