Nov 13, 2019 | Updated: 11:29 AM EDT

No One Is Safe, Yet: Fingerprints Can Be Harvested By Hackers

Aug 10, 2015 02:11 AM EDT

Close

Android users, including those who use brands HTC, Huawei, and Samsung, should be wary: Another vulnerability has been exposed, and this time, it’s possibly the worst that hackers can do.

Researchers at FireEye reported that hackers can actually copy fingerprints off of Androids’ fingerprint sensors. The hackers can then use these copies of the fingerprint scans and use the identities over and over, for whatever security functions these can unlock.

FireEye researchers Yulong Zhang and Tao Wei demonstrated the vulnerability at the Black Hat 2015 conference, held in Las Vegas, Nevada, USA. At the security conference held last August 1 to 6, the FireEye researchers gave a briefing about the methods used in “fingerprint harvesting.” The fingerprint hack, now dubbed the “fingerprint sensor spying attack,” was blamed on the fact that vendors do not encrypt or “fully lock down” the sensors.

The hacks were already confirmed on the Samsung's Galaxy S5, as well as the HTC One Max.

These three brands, Huawei, HTC, and Samsung, were singled out because these are the brands that now ship with fingerprint sensors. By the year 2019, analysts project that fingerprint sensors will be the norm for mobile devices.

On the other hand, Apple enthusiasts may have reason to rejoice: The FireEye researchers have pointed out that for the moment, the iOS devices from Apple remain secure because of the encryption on their fingerprint sensor modules.

After the conference, reports have noted that the manufacturers have already been alerted, and patches were deployed to correct the vulnerability.

Let this be a warning to Android device manufacturers and users alike: Even high-security features such as the fingerprint sensor could be targets of a massive, remote hacking spree.

The researchers also noted that rooting and other methods used to unlock the Android’s kernel may increase the vulnerability.

Either users should avoid the function for the moment or avoid rooting their phones. Hopefully the fingerprint sensors will be more secure, straight out of the box, in the future.

Meanwhile, for those who are very conscientious about their devices’ security and encryption, it may be a good idea to consider anti-NSA-secure phones such as the Blackphone or Blackphone 2, instead.

Real Time Analytics