Fingerprint Data Is Laughably Easy to Duplicate on Android Devices

Despite looming security concerns, biometric security continues to be adopted as the primary form of authentication on mobile phones, even though Google’s Android partners remain incapable of protecting biometric information.

Security firm FireEye has taken it upon itself to present and expose such failures in the Samsung Galaxy S5 and other undisclosed Android devices at the RSA conference. In their effort to contain and encrypt the data into a separate safe zone, the affected smartphone manufacturers have overlooked a glaring loophole that makes it possible to fetch the biometric data before it even reaches the safe zone. In turn, copies of an individual’s fingerprints can be created for further attacks.

A Straightforward Hack

According to Tao Wei and Yulong Zhang from FireEye, the security breach is surprisingly straightforward in approach. Instead of trying to break into the safe zone, a hacker can simply gather incoming data from the fingerprint sensor of an Android device. Anyone with user-level access and the know-how of running a program as root can easily collect fingerprint data from the affected Android smartphones. Hackers wouldn’t need to go as deep on the Samsung Galaxy S5, however, as the malware only requires system-level access.

The Emergence of Biometrics

In addition to Samsung’s devices, Apple’s TouchID is among the most common forms of biometrics. Ironically, it was easily cracked by a group of German hackers within days of its release. Microsoft is also planning to support a range of biometric alternatives for its upcoming Windows 10 operating system. The software giant is currently working with security researchers in order to test and improve its ocular login technology for Windows 10.

According to Wei and Zhang, the security breach is not present on Android 5.0 Lollipop or above, therefore users are advised to upgrade their Android devices as early as possible. It is not yet known whether all Android phones below 5.0 with fingerprint authentication are vulnerable to the hack, but it’s likely that the issue isn’t just limited to Samsung’s smartphone.

  • Touch ID wasn’t really “cracked” as in the fingerprint cannot be retrieved from the device. What was mentioned as a “crack” was that they used a fake finger, with prints acquired from some other source not from the iPhone, to unlock the device. The fingerprint data residing on your iPhone is still untouchable.

    • Pointless excuse. Why would you need to retrieve the fingerprint from the device when you’ve already gained access to the system? It’s like a burglar looking for the house keys *after* he’s broken into the house. They were able to spoof the system using a fake finger, hence it was “cracked”. Period.

      • did you even read my comment? You do know that all fingerprint sensors can be spoofed with a fake finger? You can’t break in to the house unless you have the key (i.e. the fingerprint, on a real finger or fake). And the iPhone is not giving away its keys, you have to get it from somewhere else!

        • That’s not true. If Apple wanted, they could have made software enhancements to make Touch ID really secure, like they claimed in their press release. Samsung did it with their facial recognition technology on their phones, so you cannot open it with your picture but only your real face. Microsoft Hello does something similar on Windows 10 using IR, and Intel’s RealSense camera uses multiple cameras. Just adding a PIN+fingerprint combination for two factor authentication would have been enough to prevent access to your device. But being hacked a day after release is truly shameful for a company like Apple. And yet, the issue has still not been fixed with the iPhone 6. That’s like a slap to their customers face and saying we don’t care about your security.

          • First of all lets be clear that writing a lengthy comment doesn’t strengthen your argument. I can do the same, trust me.

            Secondly you do know that preparing a fake finger to “crack” Touch ID requires a level of expertise and resources that only a handful of people in all of the world can do.

            Now as for the “fix” for the “crack” have we established that there is nothing wrong with the hardware? And that it is the basics of fingerprint sensors that they can be spoofed with a fake finger. And just to be clear by fake fingers we mean that a living finger with a fake print on. You still can’t use a dead or plastic finger to authorize.

            As for the software side A) whatever Apple claims is true. Since notable hackers have already verified the claims and none of them has been able to crack it from the software.

            B) Are you seriously suggesting two factor authentication for unlocking your device? The point of biometric verification is to make securing you device easier, not more complicated and impractical to use. Touch ID works very well and is helping people better secure their device without comprising functionality. The only problem is that only Apple has a biometric system as simple, secure and elegant as Touch ID. Way before anybody else did, and as usual they led the market on biometrics, and now that the market is finally catching up their systems are “laughably” insecure. And you’re unable to handle the facts and being jealous. Deal with it.

            (there, a long comment and believe me I can go on)

  • Ltd feature videos

    Watch more at LTD