FireEye Says Hackers Can Swipe Fingerprints from Samsung Galaxy S5

While smartphone companies are touting fingerprint-based authentication as a great way for users to keep their devices and payment data secure, that technology is not as hacker-proof as many people believe. That's one of the takeaways that researchers at the cybersecurity firm FireEye plan to offer in a presentation set for Friday at the RSA Conference in San Francisco.

Senior Software Research Engineer Yulong Zhang and Senior Manager of Research Tao Wei expect to describe their research in a talk titled, "To Swipe or Not to Swipe: A Challenge for Your Fingers." A PDF version of their presentation shows that -- using the Samsung Galaxy S5 as an example -- they will cover three types of fingerprint-based security vulnerabilities: confused authorization attacks; rooted kernel in normal world; and TrustZone security flaws.

Zhang and Wei also offer security advice for both device users and makers. They advise consumers to choose mobile devices whose vendors offer regular updates and patches to their operating systems, and recommend that mobile phone vendors and system developers do more to improve their security designs.

Stealing Fingerprints Straight from the Sensor

Speaking to Forbes earlier this week, Zhang said the Android vulnerabilities he and Wei found on the Samsung Galaxy S5 could allow a hacker to read a user's fingerprint data through malware that requires only system-level -- rather than the more protected user-level -- access.

"If the attacker can break the kernel (source code that controls the device's hardware), although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time," Zhang told Forbes. "Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can...

Comments are closed.