You may not be the only one swiping fingerprints on your Galaxy S5. Criminals could be doing it, too, and without your knowledge.
Researchers at FireEye discovered a serious flaw in some Androidphones — not just the Galaxy S5, though other affected models weren’t named. While fingerprint data is locked away in Android’s trusted storage area, the biometric scanner itself is exposed. With the right access, a criminal can perform a man-in-the-middle attack and siphon off scans while they’re in transit.
Resident malware does the dirty work silently in the background. Once criminals have acquired those tasty bits, “you can generate the image of [the] fingerprint,” Yulong Zhang explained. He added “after that you can do whatever you want.”
Scary, right? It would be, if not for a few important caveats. First, this particular flaw was fixed in Android 5.0. Most new devices are shipping with Lollipop pre-installed, and it’s been rolling out to more older devices lately. If your carrier has already updated your handset, you’re good.
Second, FireEye’s researchers say that an attacker needs to be able to “break the kernel” in order to gain the required access to a phone’s fingerprint scanner. Unless you’ve rooted your device, you probably aren’t in harm’s way when it comes to this particular exploit.
That malware would also have to find its way onto your phone somehow, and if you’re only installing apps from the Play Store the chances of that happening are pretty slim. Samsung is, nevertheless, investigating FireEye’s claims.
As worrisome as this exploit is, it’s much scarier to think that someone with access to the right lab equipment can reproduce your fingerprint with nothing more than a photo they found on the Internet.
Comments
Post a Comment