Despite looming security concerns, biometric security continues to be adopted as the primary form of authentication on mobile phones, even though Google’s Android partners remain incapable of protecting biometric information.
Security firm FireEye has taken it upon itself to present and expose such failures in the Samsung Galaxy S5 and other undisclosed Android devices at the RSA conference. In their effort to contain and encrypt the data into a separate safe zone, the affected smartphone manufacturers have overlooked a glaring loophole that makes it possible to fetch the biometric data before it even reaches the safe zone. In turn, copies of an individual’s fingerprints can be created for further attacks.
According to Tao Wei and Yulong Zhang from FireEye, the security breach is surprisingly straightforward in approach. Instead of trying to break into the safe zone, a hacker can simply gather incoming data from the fingerprint sensor of an Android device. Anyone with user-level access and the know-how of running a program as root can easily collect fingerprint data from the affected Android smartphones. Hackers wouldn’t need to go as deep on the Samsung Galaxy S5, however, as the malware only requires system-level access.
In addition to Samsung’s devices, Apple’s TouchID is among the most common forms of biometrics. Ironically, it was easily cracked by a group of German hackers within days of its release. Microsoft is also planning to support a range of biometric alternatives for its upcoming Windows 10 operating system. The software giant is currently working with security researchers in order to test and improve its ocular login technology for Windows 10.
According to Wei and Zhang, the security breach is not present on Android 5.0 Lollipop or above, therefore users are advised to upgrade their Android devices as early as possible. It is not yet known whether all Android phones below 5.0 with fingerprint authentication are vulnerable to the hack, but it’s likely that the issue isn’t just limited to Samsung’s smartphone.
