Android Fingerprint Readers Are Currently Wide-Open To Hacker Attacks

Currently installed fingerprint scanners are only integrated in the system level and do not need root access to reveal prints.

 

While Google with Android M, is all geared up to give biometric security a boost with native support for fingerprint scanning, researchers have discovered a massive loophole in the current implementation of the same, in Android smartphones.

This massive threat once exploited can easily save fingerprint scans and harvest fingerprint data from a large number of Android devices, that already sport the hardware.

Researchers Tao Wei and Yulong Zhang, who discovered the threat made a detailed brief at the Black Hat Conference on Wednesday about how insecure fingerprint readers on Android devices really are.

The researchers outlined different ways in which malware can easily gain access to your fingerprints on Android devices. The most critical attack was the "fingerprint sensor spying attack" in which hackers could remotely lift the fingerprints off an Android device.

The problem exits in implementation of the fingerprint scanner in the skinned or custom Android software that smartphone manufacturers usually include in these devices. The scanner apparently, does not do enough to lock down itself after reading fingerprints.

Having the sneakily installed malware (disguised as an app) on your smartphone or tablet could easily lead to the hacker accessing those system privileges to gain access to the same, remotely harvesting scanned fingerprint images from a number of devices without the user having the slightest clue. Again, this technique of harvesting fingerprints works even better when devices are rooted by owners.

The issue here is that unlike a password hack, a user cannot change his fingerprint ID. Once fingerprint data is stolen the hacker can always utilize it in other places according to his whims and fancies, putting the owner of the fingerprint at risk.

The best way to avoid this kind of an attack according to the researchers is to simply avoid downloading untrusted apps. The researchers confirmed that HTC One Max and the Samsung Galaxy S5 can be hacked but also commented that it works in the same way for the current range of Android devices. iOS devices with Touch ID are more secure, as the fingerprints are encrypted right off the fingerprint scanner so even hackers do get the data, they will not be able to use it without the crypto key which remains on that module.

More importantly, considering how quickly the Digital India initiative is progressing and how important your biometric data has become, it will be tough to defend your fingerprint if it gets into the wrong hands.

We would suggest that you simply do not use the fingerprint scanner altogether until Google solves these issues. After all you cannot change your fingerprint!
 

Source

[ Also Read: Google To Roll Out Update To Deal With Scary Android Bug ]


TAGS: security threat, Biometrics, fingerprint sensor, Android