Upgrade to Lollipop or this security flaw could ruin your life

Upgrade to Lollipop or this security flaw could ruin your life

Security researchers at FireEye have uncovered a critical weakness in pre-Lollipop versions of Android that exposes fingerprint readers to hackers, essentially letting them record your fingerprint direct from the scanner. The Galaxy S5 was singled out as the most vulnerable device but it is unclear exactly how many other Android devices are affected. The key take away from this revelation is that once your fingerprint has been hacked, it has been hacked for life.

AndroidPIT S5 Finger Scanner
The Galaxy S5 is particularly susceptible to intercepted fingerprint scans. / © ANDROIDPIT

Where the weakness lies

The stronghold built for storing your fingerprints on the device is not the issue: this remains impenetrable to hackers (at least for now). As you may have guessed in this post-Snowden world, the intercept comes before the fingerprint ever gets to the secure storage area.

Hackers need only install a root-level program to read the data direct from the scanner itself. It's the hacker equivalent of taking the money as it makes its way between the armored truck and the bank rather than from the truck or bank itself. As with all secure systems, the most exposed point of any transaction is the most obvious place to launch an attack. As Yulong Zhang from FireEye explained to Forbes:

"If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want". - Yulong Zhang, FireEye

samsung galaxy s6 finger scan
A fingerprint is a unique security measure, but if it is hacked, it is hacked for life. / © ANDROIDPIT

FireEye tested a variety of Android devices and found the Galaxy S5 to be particularly susceptible, requiring only system-level access for the exploit. Samsung is looking into the claims, but FireEye is quick to acknowledge that the weak point is not present in Android Lollipop, which the Galaxy S5 is currently running. However, other fingerprint scanner-equipped devices that are yet to make the jump to Android Lollipop are still vulnerable.

This is why you should never use a fingerprint scanner

As FireEye notes, if hackers steal your password you can change it, but if they steal your fingerprint it's a problem for life. In a world where fingerprint verification is gaining traction, protecting your fingerprint suddenly becomes the most serious security risk you're ever likely to encounter. FireEye goes so far as to suggest not using fingerprint scanners at all. If you ever needed a reason to make upgrade to Lollipop, this is it.

FireEye will present its findings on the Galaxy S5 and other affected Android devices at the RSA 2015 conference.

Latest articles

Recommended articles


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • Tim Apr 26, 2015 Link to comment

    You know it really depends on the angle. Yes biometrics could be considered more secure. They are probably (I am no scientist) harder to brute force and definitely harder to guess. But in terms of your every day person in every day life, a passcode is safer. Biometrics are like a key on your neck. Not only is it always with you, but it's apparent to the people around you that you have it.

    And as you've pointed out, finger prints are the worst culprit, we leave them everywhere.

  • Edit:

    Comment deleted for a reason of posting in the wrong place.

  • I'm 18 since this February and have no credit cards or anything worth the hacker's attention. I just thought that locking my phone with a fingerprint would be cool and none of my friends or normal thieves would be able to open my phone. And I'm gonna continue using this awesome feature on my S5 running good old KitKat :)

    • Yeah, the article is a bit paranoid or rather those FireEye guys are. If I want to take your fingerprint I can do it in many much easier ways, which don't require me being a hacker and reconstructing the fingerprint from raw data (and this assumes me knowing the format of the data, so basically too many problems). You also have many fingers, one compromised means nothing really, and as I said, it's so easy to take fingerprints of anyone, just because we put them everywhere.

      As a regular user, as all of us basically are, you can use this feature just as you did so far with no fear of things expressed in this article.

      • It's much easier to reconstruct a digital copy especially if you can write +distribute it to large number of people then they can sell such data along with other hacked info. We shouldn't be paranoid just careful. If you don't download from dodgy sites etc, change your passwords etc & don't use unsecured wifi to do anything other than general browsing (I'd avoid them altogether) then you should be ok.

    • I believe that the point of the article and investigation done is that if you have been hacked and they have a copy, then they have it for life. At the moment you may not have anything worth stealing but you will have. Bio security is serious, you need to protect yourself.

      • Tim Apr 26, 2015 Link to comment

        A finger print is useless to a hacker. Biometrics are known to be weak. They are meant to identify, not secure. Think of a finger print as a user name, not a password. It has been known since before the technology existed that Biometrics should never be used to secure anything of importance.

      • @Tim

        Such ignorance in this comment. I won't bother going into detail, but I'll say this: security is basically restricting access to something; gaining access to that something is by identifying/verifying whether you have rights to access it. And biometrics is one of the best way to do that.

      • Tim Apr 26, 2015 Link to comment

        No, please give more details into my ignorance. If you find my post to be ignorant, then you truly are the ignorant one. Biometrics are meant to be an easy identifier. They are meant to work alongside a proper security method. Think of your print add your id badge, not your building access code.

        It is true that we use it as a passcode for our phones. But, it should be common knowledge that it's not proper security. Your data (if important and private) should still be secured separately.

        The point is you cannot secure biometrics. It's like a key to your house, it makes you feel a little safer, but it's not really protecting against anyone that really wants in. Back to the point: trying to hack or even match a print from a database to a specific target is more difficult than simply grabbing the target in the first place. Biometrics are NOT safe and hacked biometric data is hardly something to fear.

      • @Tim

        I want to apologize. I may have been quick to judge you ignorant. As someone who posses, let's say, a decent amount of knowledge on the topic, I'm quick to dismiss any opinion that seems uneducated. You're completely wrong except on the account that biometrics can and is sometimes used alongside other methods, but not because it's not secure enough. Also, even if used alone, it may be implemented in the way it needs additional elements, a token of sorts or something similar.

        I appreciate your effort in defending your position, but it seems you formed your opinion on some false sources which resulted in you being misinformed. I suggest, if you care enough, getting some proper sources of info on biometrics and see for yourself why it is used wherever there is a need for high security.

        Cheers mate.

      • Tim Apr 26, 2015 Link to comment

        I love your method of arguing. It's quite impressive. Basically you add zero value with zero support and throw in a pinch of insult. Biometric is known to be one of the weakest security measures. It isn't used to be incredibly secure, it's used to be easy. Any real use of Biometrics is backed by at least one secondary security precaution. Even with more secure types of locks, in the real world, there is usually more than one key required. Because not only can a security method be weak, but so can the people you trust.

        Biometrics ARE weak. And if you're in charge of any sort of corporate security, I worry for the future of that organization.

      • Tim Apr 26, 2015 Link to comment

        Oh and I missed a point you touched on. Why do we use Biometrics? Well I did explain that they're easy, but that's not all. Biometrics add a touch of security to an otherwise already secured setup. For example, picture an e-mail account. In today's world it is possible that a hacker can retrieve a list of e-mails and passwords from a weak site. Now any security expert would tell you to use a different password for all accounts. However, in practice it may not happen. A hacker could then test these to get into your e-mail or linked accounts. However, if you add biometric as a method of IDENTIFYING the user, the hacker will be stopped. This then requires the hacker to not only have your code, but your person (in some way). This is huge in stopping remote attacks, especially those which are my targeted.

        This is where a hacked biometric database could become an issue. If they take your e-mail with the biometric and later find your e-mail and password from a weak site, they could use it all combined to attempt access. Though, this is why why you should not use the same password for every site.

      • Hahahaha you really made me smile and laugh :D thank you for that. You partially got me. In real life I'm an arrogant bastard, sometimes here as well :D And if I form some opinion I tend to stick to it and defend it fiercely, until and if proved wrong. So, I basically welcome you to prove me wrong, although you haven't been even close so far. And I really do have some background in biometrics, but not active, that's not my main professional interest. Also I'm lazy, and don't really have time to discuss this too much.

        But, let's say, although I probably will regret it and be dragged in some long ass discussion, humor me and present your high security solution (a single method) and I will, in response, tell you why biometrics (as a single method) is better on all accounts. There is no security solution that can't be improved by biometrics, as you already pointed out in that story with emails, and there is no single security method that is better in any aspect of interest than biometrics. We can, of course (given there are many biometrics that can be used), discuss which biometrics is better than another, and I personally tend to not have high respect for fingerprints, but as a whole: biometrics >> any other security method used for identification/verification.

Write new comment:
All changes will be saved. No drafts are saved when editing