Fingerprint scanners are usually dubbed as the future of mobile security and an alternative to pattern and password combinations. However, experts from security firm FireEye have reportedly discovered that said systems may not be as secure as initially thought.
They?ve come up with this conclusion after a number of Android handsets, including the Samsung Galaxy S5, were said to be ?leaking? fingerprints impressions. They also indicated that hackers may have been utilizing innovative ways of stealing fingerprints, including the use of the seemingly mundane Gummy Bear?snack.
Samsung Galaxy S5 at risk
According to a recent report published by The Register, smartphone users who use certain devices with a fingerprint scanner are at risk of having their fingerprints stolen. That could potentially lead to financial and mobile transactions taking?place without the owner?s approval.
FireEye?s Tao Wei and Yulong Zhang say that they have identified a way by which?cyber attackers obtain users? fingerprint information whenever a fingerprint is being scanned on a mobile device. The security experts said that this detrimental process works by intercepting a person’s biometric data after it is detected by a built-in scanner, but before it becomes encrypted. Wei and Zhang are expected to detail their findings at the upcoming RSA 2015 Conference in San Francisco this week.
The pair told Forbes that the security flaw manifests in older Android OS versions, possibly up to Android 4.4 KitKat. However, devices running Android 5.0 or newer are not vulnerable and the experts are advising users of older models to update as soon as they can.
Gummy bears can be used to steal fingerprints
PhoneArena explained that hackers could post a fake lockscreen on a phone and while owners think they are using their fingerprint to unlock it, the hacker could actually be stealing a copy of the their fingerprint for future use. Zhang told journalist Thomas Brewster that every time the handset?s owner touches the fingerprint sensor, their print can be stolen.
What?s scary about this method is that fingerprints can be lifted from smooth surfaces like a touchscreen or a glass. Prints can even be extracted from photos of people waving their hand. Smooth, gelatin-based materials such as gummy bears can also be used to tricked scanners into accepting counterfeit fingerprints.
The idea behind this ?gummy bear hack? originated with a research led by Tsutomu Matsumoto, a Japanese cryptographer, who worked on it back in 2002. The study described a ?gummy bear hack as an attempt to fool a biometric fingerprint scanner through the use of a gelatin-based candy to hold a fingerprint.
Samsung is currently investigating the FireEye researchers? claims but has yet to give a reaction on the issue, according to The Register. Meanwhile, it appears that Samsung?s rival Apple is also plagued with concerns about its own TouchID fingerprint system for the iPhone.