Android flaw lets hackers steal our fingerprint data

Another reason not to root your Galaxy S5. Photo: Killian Bell/Cult of Mac

Another reason not to root your Galaxy S5. Photo: Killian Bell/Cult of Android

A security research firm has uncovered a flaw in Android that allows hackers to steal copies of our fingerprints from the Galaxy S5, and possibly other devices. Samsung says it is already investigating the issue, which will be demonstrated at the RSA security conference this week.

Yulong Zhang and Tao Wei from FireEye have discovered a way to retrieve identification data from the “trusted zone” in which they are stored and secured on last year’s Galaxy S5. Their method promises to work on all devices running Android 5.0 Lollipop and below.

What’s most concerning is that attackers don’t need to break into that trusted zone to gather fingerprint data; they simply need to intercept it as it is sent from the fingerprint scanner. That can be done using a malicious application installed on a device with root access.

If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time,” Zhang told Forbes.

“Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang told Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

FireEye has already been in touch with Samsung regarding the issue, and the South Korean company says it is investigating and takes security “very seriously.”

But Samsung won’t be the only company affected by this if it is a wider Android issue. Manufacturers like HTC, Huawei, and Motorola have all released devices with built-in fingerprint scanners that are thought to be just as vulnerable.

As long as hackers cannot gain access to the trusted zone, however, your fingerprint data should be safe if you do not root your device. Without root access, potential malicious apps cannot access data from the fingerprint scanner.

If you do root, just be sure you only install apps from trusted sources.

FireEye will present its findings Friday at the RSA security conference in San Francisco.