Skip to main content

Hackers could steal Android users’ fingerprints: HTC and Samsung comment

hackers can steal fingerprints android phones version 1438953211 fingerprint shutterstock 103378850
Shutterstock / Maksim Kabakou
You would think that using your fingerprint to unlock your smartphone is as secure as it gets, but that’s not always the case. If you’re using an Android phone you might want to pay attention to this one.

FireEye researchers Tao Wei and Yulong Zhang demonstrated at the Black Hat conference how hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”

Related Videos

Updated on 08-11-2015 by Robert Nazarian: Added in comments from HTC, Samsung, and Yulong Zhang.

We reached out to both HTC and Samsung to confirm patches were issued for both the HTC One Max and Galaxy S5. We also asked Samsung if the Galaxy S6, Galaxy S6 Edge, or any other devices have the same vulnerability.

“We have already addressed the issue for the HTC One Max, and it doesn’t affect any other HTC devices.”

Based on the following comment from HTC, we feel confident that all carrier versions of the One Max were patched:

“HTC is aware of the FireEye report on fingerprint scanner security. We have already addressed the issue for the HTC One Max in all regions, and it doesn’t affect any other HTC devices. As always, HTC takes security issues very seriously and makes it a top priority.”

Samsung’s comment makes no mention about a patch update, but does indicate that all Galaxy S5 phones are safe:

“Samsung takes fingerprint security very seriously, and we are aware of FireEye’s report on a vulnerability with the fingerprint sensor. After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

Unfortunately, Samsung didn’t mention the status of the Galaxy S6, Galaxy S6 Edge, or any other phones that have fingerprint sensors. We have reached out to the company again, and we will update this post when we hear back.

“After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

We also contacted Yulong Zhang and asked him about the Galaxy S6, Galaxy S6 Edge, or any other phones that might be vulnerable to the Fingerprint Sensor Security Attack. Unfortunately, he could not provide insight into whether it impacts other devices.

Zhang reiterated the iPhone isn’t vulnerable since the fingerprint data is encrypted. Apple purchased AuthenTec in 2012, which provides the fingerprint sensors for the iPhone. Apple’s ownership in the company makes it easier to control the security, whereas Samsung and other Android manufacturers are at the mercy of third-party hardware companies.

HTC’s and Samsung’s fix involves locking down the fingerprint sensors, but the data remains unencrypted because of hardware limitations. Android manufacturers will likely be able to secure hardware that allows them to encrypt fingerprint data in the future.

With all this negativity surrounding fingerprint sensors, Zhang still feels that using them the best way to secure phones and tablets. Fingerprints can’t be guessed, but passwords can, especially for those that use simple PIN codes like 1234.

What is the Fingerprint Sensor Spying Attack?

The “Fingerprint Sensor Spying Attack” works with Samsung, HTC, and Huawei phones. According to Wei and Zhang, some manufacturers fail to lock down the fingerprint sensor. Apparently some are only guarded by system-level privileges instead of root, which makes it easier to hack into. Most security-related software requires root access, making it more complicated for hackers to thwart.

It wasn’t explained how the hacker actually gains access to the fingerprint sensor itself, but the attacker can continue to read fingerprints for the life of the phone once the attack is in place.

It was also shown that through a different attack, “Confused Authorization Attack,” how a hacker could provide a fake lock screen that would actually enable a money transfer in the background once a fingerprint is accepted. The report didn’t indicate if any current phones are actually vulnerable to this type of attack though.

Obtaining a fingerprint could be very serious since they are not only used to unlock the device, but also used to make mobile payments and banking transactions. Fingerprints are also tied to you personally and obviously cannot be altered or changed.

It’s not clear how panicked you need to be on this one. Wei and Zhang demoed the Fingerprint Sensor Spying Attack on the older Samsung Galaxy S5 and HTC One Max, but didn’t mention if the newer Galaxy S6 or Galaxy S6 Edge has the same vulnerability. Furthermore, the report indicates that both Samsung and HTC issued patches after being notified about the vulnerability.

Now, if you happen to be an iPhone user, you will be happy to know that Apple does a better job at encrypting the fingerprint data from the scanner. The good news is that Google is implementing fingerprint security support in Android M, so it’s likely to be more secure on all Android phones moving forward. Speaking of that, Wei and Zhang recommend that consumers always buy the latest phones with the latest software for better protection.

Editors' Recommendations

Apple finally makes it harder to stalk Android users with its new Tracker Detect app
Apple Airtag in different polyurethane and leather key rings and loops

Apple has announced and released a new AirTags tracker app for Android called Tracker Detect. This has been done to resolve one of the privacy issues inadvertently introduced with AirTags earlier this year -- the ability to track someone without their knowledge. Once it was installed and a scan was initiated, the app was able to highlight unknown AirTag trackers nearby, essentially revealing the location of strangers and opening the door for planting an AirTag on someone without their knowledge to keep tabs on them.

AirTags were released earlier in the year as a rival to Tile and other Bluetooth trackers. They leveraged Apple's Find My network to help users track lost items by communicating with a combination of Bluetooth and Ultra Wideband. Unlike Tile trackers, they could also be used to geolocate lost items. However, AirTags also came with an unintended consequence: They could allow people to be tracked without their knowledge by simply tagging their clothes or personal property. Apple users would be protected against it as an iPhone running iOS 15 would be able to detect that an unknown AirTag was found moving with you, but that was not an option for Android devices.

Read more
Samsung’s Galaxy S21 FE could be supported longer than the S21 and S21 Ultra
Samsung Galaxy S21 FE render in purple.

Samsung is thought to be preparing the launch of the Galaxy S21 Fan Edition (FE) in a matter of weeks. Now, a new report from enthusiast site SamMobile says the phone will run Android 12 and One UI 4 out of the box, making it the first new Samsung device to come with the new OS, potentially beating out other members of the S21 series in terms of software support.

While what software version a phone launches with is ordinarily trivial, a few things make this release noteworthy. The S21 FE was first supposed to launch in 2021 with One UI 3 and Android 11 on board, and Samsung offered to deliver three software updates and four years of security updates to the device. Initially, because of the delayed release, Samsung would only have had to update the S21 FE to Android 12, Android 13, and Android 14.

Read more
Samsung’s Android 12 and One UI 4 update comes to the Galaxy Z Flip and Fold 3
One UI 4 and Android 12.

Samsung has made Android 12 and One UI 4 available to the Galaxy Z Flip 3 and Galaxy Z Fold 3 just weeks after releasing the update to the Samsung Galaxy S21 family. The update has dropped first in the company's native Korea, but will likely be making a worldwide rollout in the next week or so.

As with the S21's release that came last month, One UI 4 and Android 12 bring enhanced customization and security features to Z Flip 3 and Z Fold 3 owners. These include a new feature that themes your phone with the color of your wallpaper, customizable emoji, and more. Privacy wise, OneUI 4 owners will now see indicators when their cameras or microphones are in use, preventing apps from accessing those clandestinely.

Read more