Hackers could steal Android users’ fingerprints: HTC and Samsung comment

hackers can steal fingerprints android phones version 1438953211 fingerprint shutterstock 103378850
Shutterstock / Maksim Kabakou
You would think that using your fingerprint to unlock your smartphone is as secure as it gets, but that’s not always the case. If you’re using an Android phone you might want to pay attention to this one.

FireEye researchers Tao Wei and Yulong Zhang demonstrated at the Black Hat conference how hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”

Updated on 08-11-2015 by Robert Nazarian: Added in comments from HTC, Samsung, and Yulong Zhang.

We reached out to both HTC and Samsung to confirm patches were issued for both the HTC One Max and Galaxy S5. We also asked Samsung if the Galaxy S6, Galaxy S6 Edge, or any other devices have the same vulnerability.

“We have already addressed the issue for the HTC One Max, and it doesn’t affect any other HTC devices.”

Based on the following comment from HTC, we feel confident that all carrier versions of the One Max were patched:

“HTC is aware of the FireEye report on fingerprint scanner security. We have already addressed the issue for the HTC One Max in all regions, and it doesn’t affect any other HTC devices. As always, HTC takes security issues very seriously and makes it a top priority.”

Samsung’s comment makes no mention about a patch update, but does indicate that all Galaxy S5 phones are safe:

“Samsung takes fingerprint security very seriously, and we are aware of FireEye’s report on a vulnerability with the fingerprint sensor. After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

Unfortunately, Samsung didn’t mention the status of the Galaxy S6, Galaxy S6 Edge, or any other phones that have fingerprint sensors. We have reached out to the company again, and we will update this post when we hear back.

“After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

We also contacted Yulong Zhang and asked him about the Galaxy S6, Galaxy S6 Edge, or any other phones that might be vulnerable to the Fingerprint Sensor Security Attack. Unfortunately, he could not provide insight into whether it impacts other devices.

Zhang reiterated the iPhone isn’t vulnerable since the fingerprint data is encrypted. Apple purchased AuthenTec in 2012, which provides the fingerprint sensors for the iPhone. Apple’s ownership in the company makes it easier to control the security, whereas Samsung and other Android manufacturers are at the mercy of third-party hardware companies.

HTC’s and Samsung’s fix involves locking down the fingerprint sensors, but the data remains unencrypted because of hardware limitations. Android manufacturers will likely be able to secure hardware that allows them to encrypt fingerprint data in the future.

With all this negativity surrounding fingerprint sensors, Zhang still feels that using them the best way to secure phones and tablets. Fingerprints can’t be guessed, but passwords can, especially for those that use simple PIN codes like 1234.

What is the Fingerprint Sensor Spying Attack?

The “Fingerprint Sensor Spying Attack” works with Samsung, HTC, and Huawei phones. According to Wei and Zhang, some manufacturers fail to lock down the fingerprint sensor. Apparently some are only guarded by system-level privileges instead of root, which makes it easier to hack into. Most security-related software requires root access, making it more complicated for hackers to thwart.

It wasn’t explained how the hacker actually gains access to the fingerprint sensor itself, but the attacker can continue to read fingerprints for the life of the phone once the attack is in place.

It was also shown that through a different attack, “Confused Authorization Attack,” how a hacker could provide a fake lock screen that would actually enable a money transfer in the background once a fingerprint is accepted. The report didn’t indicate if any current phones are actually vulnerable to this type of attack though.

Obtaining a fingerprint could be very serious since they are not only used to unlock the device, but also used to make mobile payments and banking transactions. Fingerprints are also tied to you personally and obviously cannot be altered or changed.

It’s not clear how panicked you need to be on this one. Wei and Zhang demoed the Fingerprint Sensor Spying Attack on the older Samsung Galaxy S5 and HTC One Max, but didn’t mention if the newer Galaxy S6 or Galaxy S6 Edge has the same vulnerability. Furthermore, the report indicates that both Samsung and HTC issued patches after being notified about the vulnerability.

Now, if you happen to be an iPhone user, you will be happy to know that Apple does a better job at encrypting the fingerprint data from the scanner. The good news is that Google is implementing fingerprint security support in Android M, so it’s likely to be more secure on all Android phones moving forward. Speaking of that, Wei and Zhang recommend that consumers always buy the latest phones with the latest software for better protection.

Emerging Tech

Awesome Tech You Can’t Buy Yet: Grow veggies indoors and shower more efficiently

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!

Own an unlocked Galaxy S9? The U.S. Android Pie update has landed

Android 9.0 Pie has been released. But is your phone getting Android 9.0 Pie, and if so, when? We've done the hard work and asked every device manufacturer to see when their devices would be getting the update.

Samsung's Unpacked draws near. Here's what we know about the Galaxy S10 so far

It won't be long now. With 2019 underway, the Samsung Galaxy S10 is almost here. Before it arrives, here's absolutely everything you need to know about all three of Samsung's next flagships.

Stop buying old tablets, says Samsung, buy the new Galaxy Tab S5e instead

Samsung has launched the Galaxy Tab S5e -- the E is for Essential -- a reasonably priced tablet that includes many of the features we like from the Tab A 10.5, and the Tab S4. Here's what you need to know.

Galaxy Watch Active isn't official yet, but you can see it in Samsung's own app

Samsung may be about to resurrect its Sport line of smartwatches under a new name: The Galaxy Watch Sport Active. Leaks and rumors are building our picture of the device at the moment.

Amazon slashes prices on Fitbit Versa smartwatches for Presidents’ Day

Amazon is offering a solid $30 discount on this great fitness tracking smartwatch right now. So if you're looking for a wearable that can help you track steps, sleep, and activity, now is a great time to pick one up for less.

Be careful who you bokeh, jokes Apple’s latest iPhone ad

With iPhone sales under pressure, you'd think there wouldn't be much to laugh about at Apple HQ. But the company has seen fit to inject some humor into its latest handset ad, which highlights the camera's Depth Control feature.

How to perform a reverse image search in Android or iOS

You can quickly use Google to search, and reverse search, images on a PC or laptop, but did you know it's almost as easy to do in Android and iOS? We explain how to do it here, whether you want to use Chrome or a third-party app.

The best Honor View 20 cases to keep your midrange beauty intact

With power to rival flagships, great looks, and a stunning camera, the Honor View 20 is an excellent phone -- but it still needs protection from hazards. Here are some of the best Honor View 20 cases.

Gorilla Glass 6 will cover the Xiaomi Mi 9's AMOLED screen

Xiaomi's next major smartphone release will be the Mi 9, and the company hasn't held back in giving us a good look at the phone, revealing the design, the camera, and a stunning color.

Flip from portrait to landscape as we reveal how to rotate a video on iPhone

If you've accidentally shot a video in portrait orientation and you want to flip to landscape, then this is the guide for you. We'll explain how to use iMovie to rotate a video on your iPhone or iPad for free and suggest alternative apps.

The 2019 iPhone could put a charge into your other Apple gadgets

While it's not been long since the last iPhones launched, rumors for the next iPhone are already surfacing. Apple's 2019 flagship could include a variety of upgrades ranging from a new design to enhanced features.

5G is the swift kick VR and AR gaming needs to come to fruition

There's a lot of hype surrounding augmented reality and virtual reality, but is it really the next big thing? We take a look at where the new mediums stand, as well as how 5G is poised to help them break into the mainstream.

This discounted smartwatch is a cheap Apple Watch or Fitbit Versa alternative

The Amazfit Bip isn't an Apple Watch or Fitbit Versa, but at the discounted price of $67, it's a very affordable alternative packed with useful features. With built-in GPS and 30-day battery life, this cheap smartwatch is a great option to…