Android fingerprint scanners are unsecure

Hackers can steal fingerprint data on a large scale through unsecure Android phones, researchers claim, saying that vendors that ship with fingerprint sensors don't lock them down well enough.

FireEye researchers Tao Wei and Yulong Zhang are singling out Samsung Galaxy S5 and HTC One Max as the most vulnerable examples, and are set to announce new research during the Black Hat conference in Las Vegas on Wednesday.

They have also added other smartphones from Huawei and HTC to the list, and have stressed that even though it might not be a big issue today, in five years’ time, it will be.

By 2019, it is believed that at least half of all smartphone shipments will have a fingerprint sensor, which is where the real issue lies.

Of the four attacks outlined by the researchers, one in particular -- dubbed the "fingerprint sensor spying attack" -- can "remotely harvest fingerprints in a large scale," Zhang told ZDNet by email.

"In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," Zhang said

Affected vendors have since provided patches after being alerted by the researchers.

Zhang failed to say which vendor was least secure, but he did say that Apple is “quite secure”, as it encrypts fingerprint data from the scanner.

"Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image," he said.