Last week we reported that the fingerprint scanner in the Samsung Galaxy S5 could be easily fooled, allowing anyone with some basic materials and a little time access to your PayPal account. That was bad enough, but now researchers have discovered another flaw in the system that is potentially even more frightening.
Researchers from the security firm FireEye have discovered that the Galaxy S5 and “other unnamed Android devices” make it possible for your biometric data to be hijacked, Forbes reports.
As users’ fingerprints are obviously valuable information and should be treated as such, Samsung and other phone makers keep this data in a secure area. This much is working as intended. The problem is that it is possible to hijack the biometric data directly from the fingerprint sensor before it even reaches this secure zone.
On most phones, hackers need to acquire user-level access and be able to run a program as root — the most basic level, involving the most privileged access — in order to access this data. On the Galaxy S5, however, only system-level access is needed.
If an attacker can manage to access the core of the Android operating system, known as the kernel, they can access the fingerprint sensor. “Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” FireEye researcher Yulong Zhang told Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
FireEye has contacted Samsung, but hasn’t yet heard back from the company regarding updates addressing the issue. There is some good news, however: no phone running Android 5.0 Lollipop is susceptible to this problem. While not every Galaxy S5 owner has Lollipop available to them yet, updates are currently rolling out worldwide.
If you own a Galaxy S5 and want to avoid this vulnerability, it may be worthwhile updating to Lollipop as soon as it becomes available to you.