We should all be well-aware that biometric data is among the most personal and important information we don’t want getting into the wrong hands. That’s why at this week’s RSA Conference, researchers from security firm FireEye will discuss the state of biometric security to the public. Specifically, these researchers found that, after performing a series of tests on the Samsung Galaxy S5 (among other Android devices), hackers have the opportunity to easily access biometric data before it reaches the “secure zone”, and create copies for future attacks.
Instead of focusing on breaking into the secure zone (where the biometric info is stored) to steal the information, hackers could instead steal the information straight from the fingerprint scanner. To do so, the hacker only needs to acquire user-level access and run a program through root to duplicate the information. The researchers from FireEye say that on the Galaxy S5, the malware only needs system-level access, so hackers wouldn’t need to go as deep.
Yulong Zhang, a representative from FireEye, told Forbes:
If the attacker can break the kernel, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.
According to the representatives, this vulnerability does not reside in devices running Android 5.0 Lollipop and above, so they urge you to upgrade your device as soon as you can.
A Samsung representative told Forbes:
Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.
Although the researchers claim they have only tested a limited number of Android devices, they expect the issue is more widespread than just residing on Samsung smartphones.
Odds are, your biometric information will be just fine. But as an added precaution, if you own a device with a fingerprint scanner, you might want to upgrade to Lollipop if it’s available for your device.