Despite Samsung’s efforts at separating and encrypting the biometric data in a separate secure zone, security firm FireEye has revealed that a recent flaw related to the fingerprint sensor embedded in the Samsung Galaxy would allow hackers to duplicate the user’s fingerprints, according to Forbes.
This claim was made by Tao Wei and Yulong Zhang who are both from FireEye. They both said it is entirely possible for hackers to acquire the data before it is sent to the protected area and clone the user’s fingerprints, which of course, would lead to further attacks.
It is a pretty straightforward issue as an attacker could concentrate on collecting data inbound from the Samsung Galaxy S5’s fingerprint sensors instead of trying to break into the protected area. Though, Wei and Zhang is expected to reveal more on this finding; any “hacker who can acquire user-level access and can run a program as root, the lowest level of access on computers and smartphones, can easily collect fingerprint information from the affected phones, the researchers said. He however, said that malware only needs system-level access, and would not need to go as deep.
The Samsung Galaxy S5 is not the only phone affected by this flaw as the researchers have also identified other devices such as the Android.
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang told FORBES. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
Wei and Zhang said they had both contacted Samsung over the issue, but are yet to get a feedback on any updates for users. However, the flaw is not resident on Android 5.0 Lollipop or above, so users should upgrade where they can, Wei and Zhang added.
“Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” a Samsung spokesperson said over email sent to FORBES.
According to FireEye, not all phones have been tested, but short of saying the issue is likely more widespread than just Samsung’s phone.
“We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure,” a spokesperson for FireEye said in an email to FORBES.