Hackers could steal Android users’ fingerprints: HTC and Samsung comment

hackers can steal fingerprints android phones version 1438953211 fingerprint shutterstock 103378850
Shutterstock / Maksim Kabakou
You would think that using your fingerprint to unlock your smartphone is as secure as it gets, but that’s not always the case. If you’re using an Android phone you might want to pay attention to this one.

FireEye researchers Tao Wei and Yulong Zhang demonstrated at the Black Hat conference how hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”

Updated on 08-11-2015 by Robert Nazarian: Added in comments from HTC, Samsung, and Yulong Zhang.

We reached out to both HTC and Samsung to confirm patches were issued for both the HTC One Max and Galaxy S5. We also asked Samsung if the Galaxy S6, Galaxy S6 Edge, or any other devices have the same vulnerability.

“We have already addressed the issue for the HTC One Max, and it doesn’t affect any other HTC devices.”

Based on the following comment from HTC, we feel confident that all carrier versions of the One Max were patched:

“HTC is aware of the FireEye report on fingerprint scanner security. We have already addressed the issue for the HTC One Max in all regions, and it doesn’t affect any other HTC devices. As always, HTC takes security issues very seriously and makes it a top priority.”

Samsung’s comment makes no mention about a patch update, but does indicate that all Galaxy S5 phones are safe:

“Samsung takes fingerprint security very seriously, and we are aware of FireEye’s report on a vulnerability with the fingerprint sensor. After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

Unfortunately, Samsung didn’t mention the status of the Galaxy S6, Galaxy S6 Edge, or any other phones that have fingerprint sensors. We have reached out to the company again, and we will update this post when we hear back.

“After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe.”

We also contacted Yulong Zhang and asked him about the Galaxy S6, Galaxy S6 Edge, or any other phones that might be vulnerable to the Fingerprint Sensor Security Attack. Unfortunately, he could not provide insight into whether it impacts other devices.

Zhang reiterated the iPhone isn’t vulnerable since the fingerprint data is encrypted. Apple purchased AuthenTec in 2012, which provides the fingerprint sensors for the iPhone. Apple’s ownership in the company makes it easier to control the security, whereas Samsung and other Android manufacturers are at the mercy of third-party hardware companies.

HTC’s and Samsung’s fix involves locking down the fingerprint sensors, but the data remains unencrypted because of hardware limitations. Android manufacturers will likely be able to secure hardware that allows them to encrypt fingerprint data in the future.

With all this negativity surrounding fingerprint sensors, Zhang still feels that using them the best way to secure phones and tablets. Fingerprints can’t be guessed, but passwords can, especially for those that use simple PIN codes like 1234.

What is the Fingerprint Sensor Spying Attack?

The “Fingerprint Sensor Spying Attack” works with Samsung, HTC, and Huawei phones. According to Wei and Zhang, some manufacturers fail to lock down the fingerprint sensor. Apparently some are only guarded by system-level privileges instead of root, which makes it easier to hack into. Most security-related software requires root access, making it more complicated for hackers to thwart.

It wasn’t explained how the hacker actually gains access to the fingerprint sensor itself, but the attacker can continue to read fingerprints for the life of the phone once the attack is in place.

It was also shown that through a different attack, “Confused Authorization Attack,” how a hacker could provide a fake lock screen that would actually enable a money transfer in the background once a fingerprint is accepted. The report didn’t indicate if any current phones are actually vulnerable to this type of attack though.

Obtaining a fingerprint could be very serious since they are not only used to unlock the device, but also used to make mobile payments and banking transactions. Fingerprints are also tied to you personally and obviously cannot be altered or changed.

It’s not clear how panicked you need to be on this one. Wei and Zhang demoed the Fingerprint Sensor Spying Attack on the older Samsung Galaxy S5 and HTC One Max, but didn’t mention if the newer Galaxy S6 or Galaxy S6 Edge has the same vulnerability. Furthermore, the report indicates that both Samsung and HTC issued patches after being notified about the vulnerability.

Now, if you happen to be an iPhone user, you will be happy to know that Apple does a better job at encrypting the fingerprint data from the scanner. The good news is that Google is implementing fingerprint security support in Android M, so it’s likely to be more secure on all Android phones moving forward. Speaking of that, Wei and Zhang recommend that consumers always buy the latest phones with the latest software for better protection.

Product Review

Screen snags aside, the Galaxy Fold is an exciting step toward a foldable future

Samsung's Galaxy Fold is the company's first foldable phone, with two screens, six cameras, and a dual-cell battery. The phone may be delayed due to display issues, but that doesn't stop us from asking -- what's it like to use?
Computing

Lenovo’s Yoga C930 sale drops a $650 discount on its 2TB SSD laptop

Lenovo is offering one of its 2-in-1 laptops at a $650 discount. This Lenovo Yoga C930 laptop comes with a 2TB solid-state drive, a digital pen, a fingerprint reader, and a Dolby Atmos sound bar.
Mobile

Samsung Galaxy S10 update gives manual control of Bright Night mode

Samsung 2019 flagship smartphone lineup is here, and there aren't just two phones as usual — there are four. There's the Galaxy S10, S10 Plus, as well as a new entry called the S10e, as well as the Galaxy S10 5G.
Mobile

The OnePlus 3 & 3T both receive an open beta for Android Pie

Android 9.0 Pie has been released. But is your phone getting Android 9.0 Pie, and if so, when? We've done the hard work and asked every device manufacturer to see when their devices would be getting the update.
Mobile

The best Bluetooth headsets of 2019, from Sennheiser to Jabra

Quality headsets are rare. Here are our picks for the best Bluetooth headsets available, whether you need something modest, cheap, or loaded with features. We highlight the best Bluetooth headsets you can get for different situations.
Mobile

Samsung begins retrieving all the Galaxy Fold review units

The Samsung Galaxy Fold has arrived, and it goes on sale soon. Folding out from a 4.6-inch display to a tablet-sized 7.3-inch display, this unique device has six cameras, two batteries, and special software to help you use multiple apps.
Mobile

Michael Kors updates its Sofie smartwatch, but still uses a processor from 2016

Michael Kors announced an update to the Sofie smartwatch, now offering heart rate monitoring, GPS, and NFC support. There's only one problem — the device still offers the Snapdragon Wear 2100 processor.
Mobile

Common Samsung Galaxy S10, S10 Plus, and S10e problems and how to fix them

Samsung's new Galaxy S10 range is gorgeous and extremely powerful. But they're not perfect, and you may discover some issues with your new phone. Here are some of the most common Galaxy S10 problems and how to fix them.
Photography

Capture life in every direction with the best 360 cameras

While 360 cameras are still a new technology, that doesn't mean there's not a few that are worth a look. Whether you want to shoot from the middle or just need a simple, affordable option, here are the best 360 cameras on the market.
Home Theater

The best MP3 players of 2019 cram tons of music into a small package

Want to go for a run, but your phone is weighing you down? Don't sweat it. Can't fit your whole music library on your smartphone? No worries. Check out our list of the best MP3 players, and find one that works for you.
Apple

WWDC 2019 Complete Coverage

Apple’s Worldwide Developer Conference is a key tech event each year, and for Apple fans, it will be one of the two best times of 2019 (along with "new iPhone day," of course). For the last few years, Apple has debuted much of its…
Mobile

Whether by the pool or the sea, make a splash with the best waterproof phones

Whether you're looking for a phone you can use in the bath, or you just want that extra peace of mind, waterproof phones are here and they're amazing. Check out our selection of the best ones you can buy.
Mobile

Walmart drops a killer deal on the Apple iPad Mini 4 tablet

The Apple iPad still reigns supreme in the tablet market, and the pint-sized 7.9-inch iPad Mini is the perfect everyday carry companion. Now’s the perfect chance to score a deal on the last-gen iPad Mini 4 before it’s gone for good.
Mobile

Google Creative Lab’s new AR experiment helps you learn how to draw

Google's Creative Lab developed an experiment called Drawalong AR that could make it easier for aspiring artists to follow YouTube tutorials. The experiment essentially leverages Google's ARCore to create a virtual tracing paper.