The Galaxy S5, which supports wireless charging but only with an additional accessory
The Galaxy S5, which supports wireless charging but only with an additional accessory

Samsung Galaxy S5 flaw allows hackers to clone fingerprints

Researchers explained that hackers would be able to access phones at any time if they had access to data of the user's fingerprint

Jamie Campbell
Sunday 26 April 2015 16:15
comments

Biometric information has long been touted as the solution to the ever-fallible password, but new research has shown that it may not be as safe as generally assumed.

Hackers may be able to clone fingerprints and gain access to phones such as the Samsung Galaxy S5’s software, according to cyber-security company FireEye.

It is possible to steal biometric date, essentially the fingerprint, before it reaches a segmented and encrypted “safe zone” and create copies of people’s fingerprints for further attacks on their phone, Tao Wei and Yulong Zhang claim.

The researchers say that any hacker who can acquire user-level access and run a program as a root, the lowest level of access on computers and smartphones, could collect fingerprint information from affected Android phones.

The Samsung Galaxy S5, they said, would be a particularly tempting target as malware needs only system-level access.

Speaking to Forbes, Zhang said: “If the attacker can break the kernel (the core of the Android operating system), although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time.

“Every time you touch the fingerprint sensor, the attacker can steal your fingerprint.”

He said that once the attacker had acquired the fingerprint, they could then do “whatever they want” with the phone.

These claims will add to security concerns surrounding biometrics, set to become the standard form of authentication for mobile devices.

Apple’s Touch ID was broken into by a Berlin hacker group known as the Chaos Computer Club in 2013.

In video posted to YouTube they showed how they could register an index finger on the phone and then, by covering the same hand’s middle finger with a piece of latex with the spoofed index finger print, access the phone in seconds.

Wei and Zhang said that all Android phones below the 5.0 operating system with fingerprint authentication were affected.

Though they said that their testing had not gone beyond testing Android devices, they said that the issue was likely to be more widespread.

Other Android devices that use fingerprint sensors include the HTC One Max, the Motorola Atrix, the Samsung Galaxy Note 4 and Edge, the Galaxy S6 and the Huawei Ascend Mate 7.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments