Your fingerprint is a more valuable security resource than your password — you can change a password, after all. So it’s worrying to hear that Samsung’s Galaxy S5 contains a vulnerability that could leave your fingerprint wide open for hackers to clone.
Forbes reports that security researchers at FireEye have found that the Samsung’s Galaxy S5 — and some “other unnamed Android devices” — fail to properly protect your fingerprint. Prints are held in an encrypted file on the phone, but FireEye researchers claim it can be intercepted before it arrives there, allowing it to be cloned and used for future attacks. Forbes explains just how straightforward the attack is:
[A]n attacker could focus on collecting data coming from the Android devices’ fingerprint sensors rather than trying to break into the trusted zone… Any hacker who can acquire user-level access and can run a program as root, the lowest level of access on computers and smartphones, can easily collect fingerprint information from the affected Android phones… On the Samsung Galaxy S5, they wouldn’t need to go as deep, with malware needing only system-level access.
The team behind the research presented their findings at the RSA Conference yesterday. Ahead of the presentation they informed Samsung of the vulnerability, but no updates have yet been announced. The hack doesn’t work on on Android 5.0 Lollipop or above — so it would pay to update your OS as soon as possible. [Forbes]