Researchers point out security issues with fingerprint scanners
08 Aug 2015
Fingerprint scanning though incorporated into devices to enhance security might itself, pose some security issues according to researchers. Researchers Tao Wei and Yulong Zhang from security firm FireEye said they had uncovered four different attacks capable of extracting user fingerprints from Android smartphones.
They also claim it was more vulnerable compared to Touch ID in Apple.
ZDNet reported that the researchers outlined four attacks and the one called fingerprint sensor spying attack was capable of remotely harvesting fingerprints on a large scale.
Smartphones like HTC Max and Samsung Galaxy S5 allowed hackers to steal the fingerprint from an infected device as device makers did not completely lock down the sensor.
The report also pointed out that bigger problems could be caused by some devices that were 'guarded only by system privilege instead of root, which meant a simply rooted device could also be at greater risk.
Vendors had started releasing patches to safeguard devices, but the report did not mention which vendor provided more secure products. The report, however, said the iPhone's fingerprint scanner was more secure than that in Android devices.
The problem was not limited to phones and laptops and other devices could also be vulnerable.
The problem existed in implementation of the fingerprint scanner in the skinned or custom Android software that smartphone manufacturers usually included in these devices.
The scanner apparently, was not being able to properly lock down itself down after reading fingerprints.
Once the malware was installed malware (disguised as an app) on a user's tablet it could easily lead to the hacker accessing system privileges to gain access to the same, and remotely harvest scanned fingerprint images from a number of devices without the user getting to know.
Also this technique of harvesting fingerprints worked even better when devices were rooted by owners.
The issue with fingerprint ID is that unlike a password hack, a user could not change his fingerprint ID, and once fingerprint data was stolen the hacker could always use it to push his plans at the user's expense.
.webp)
