Skip to main content

Warning: Is the Galaxy S5 leaking your fingerprints?

I'm usually not the paranoid one in a relationship, but the fingerprint scanner on smartphones always used to freak me out.

And now, a pair of researchers from security firm FireEye breathes new life into my paranoia, as they claim hackers can steal your fingerprint data before it gets encrypted in the device.

One of the potentially dangerous devices, ‘leaking’ fingerprints is the Samsung Galaxy S5.

The security researchers have found a way to intercept a person's biometric data after it is captured by the built-in scanner, but before it becomes encrypted.

Tao Wei and Yulong Zhang from FireEye are will discuss their findings at this week's RSA conference in San Francisco. However, the flaw is only present in the older version of the Android operating system, 4.4 KitKat and earlier, so those using Android 5.0 should be safe.

That’s why the duo advises anyone having an older version of Android and a fingerprint scanner on the same device to update as soon as possible, before it’s too late.

The vulnerability means that a hacker can access the kernel, or core, of the Android operating system.

Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset's built-in sensors, including the fingerprint scanner.

“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored int he trusted zone, he can directly read the fingerprint sensor at any time.

"Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang told Forbes. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

Tom Armstrong, UK Manager at Dashlane, offered the following comment: “On paper, biometrics seems like a great way to secure a device because there’s the assumption that fingerprints can’t be stolen.

"The Samsung Galaxy S5 leak is case and point that this is not true. It can be hacked and the issue is there is no going back - you can’t replace your stolen iris, or in this case, fingerprint.

"The lesson we can learn from this is that biometric authentication, alone, is not fool proof. It should be used as an additional authentication layer, alongside strong or randomly generated passwords that can be changed very quickly in the event of a breach."

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.