x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner

Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner

Posted: , by Alan F.

Tags :

Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner
According to a report published on Thursday, smartphone users who employ a device with a fingerprint scanner are in danger of having their fingerprints stolen from their handset. That could lead to financial and other transactions taking place without the approval of a phone's owner. When the user of a phone like the Samsung Galaxy S5 touches the fingerprint scanner, the print is compared to the one stored in the phone to see if there is a match. Yulong Zhang and Tao Wei of security firm FireEye say that they have discovered a way for hackers to obtain a phone user's fingerprint information whenever a fingerprint is being scanned on a handset.

In essence, a hacker could post a fake lock screen on a phone and while the phone owner thinks he is using his fingerprint to unlock the device, the hacker could really be stealing a copy of the user's fingerprint for future use. FireEye's Zhang says that every time the phone's owner touches the fingerprint sensor, his print can be stolen. A Stolen print can be used to authorize a transaction requiring verification, making this a potentially expensive problem.

With more and more handsets employing a fingerprint scanner, this could turn into a major issue. Zhang and Wei are giving a talk on Friday at the RSA Security conference in San Francisco and have released in advance some of the slides that they will use for their presentation. As one of the slides points out, if your password falls into the wrong hands, a new one can be created. But if your fingerprint falls into the wrong hands (so to speak), that is a problem that can last with you for the rest of your life.

The scary thing is that fingerprints can be taken from smooth surfaces like a glass or a touchscreen. Prints can even be extracted from a picture of a person waving his hand. Touch ID can be tricked into accepting counterfeit fingerprints made using Gummi Bears. Considering that Touch ID is an important part of verifying a user's identification when using Apple Pay, this vulnerability will need to be addressed by Apple as well as other companies offering a smartphone with a fingerprint scanner.

Consider a situation where you might think that you are merely swiping your finger on your phone's touchscreen in order to unlock it. In actuality, you might be authorizing the wire transfer of a large sum of money to an account that you are not familiar with. And instead of confusing users in order to get them to mistakenly approve a transaction, some hackers will embed false fingerprints into a user's account so that they can approve an illicit transaction over the unsuspecting victim's handset.

FireEye suggests that users stick to mobile device vendors that update often. Make sure that your phone is updated every time one is offered, and install apps from reliable sources. Lastly, if you are an enterprise or government user, seek out professional help to get protection from such hackers.


source: RSAConference via TheRegister

32 Comments
  • Options
    Close






posted on 23 Apr 2015, 16:46 16

1. hendog4385 (Posts: 5; Member since: 18 Dec 2013)


Good thing I ate all my gummi bears...lol

posted on 23 Apr 2015, 16:48 7

2. greyhulk (Posts: 156; Member since: 30 Jun 2010)


In other news: Hackers can steal your wine glass and use scotch tape to lift your fingerprint and fool your scanner.

Give me a break.

posted on 23 Apr 2015, 21:06

21. gaming64 (unregistered)


That's sci fi B.S.

posted on 23 Apr 2015, 21:52

24. techperson211 (Posts: 1267; Member since: 27 Feb 2014)


Not surprising cause if a phone has finger print scanner the more thieves will get interested in that device, they'll think that it has sensitive information such as credit cards info, bank account info etc.

posted on 23 Apr 2015, 17:01 1

3. Scott93274 (Posts: 5130; Member since: 06 Aug 2013)


Damn gummy bears, they're evil little bastards! I have a co-worker visiting in Europe and he's allegedly going to be bringing me back a bag of those sugar free Haribo gummy bears that absolutely obliterate your digestive track. I haven't figured out what I'm going to do with them just yet, probably offer them to people at work that bug the crap of of me.

posted on 23 Apr 2015, 17:01 3

4. Sauce5 (unregistered)


If (let's just scale up to what all this is practical in terms of) I was a secret agent, the President of the United States or President Putin, a CIA op, a data manager for a server firm, Bill Gates, Edward Snowden, or anyone else someone would want a fingerprint of, what is next.

Let's see. Assuming every one of these high profile people I could be, what would you do with my fingerprint. Well...for starters, you can log into my phone and open the Facebook app to post a silly photo, maybe a whimsical status, which would obviously get deleted from a computer or what not using the same account. Want to steal my account? No big deal, go ahead. Oh noooo, my Facebook was hacked. I'll be sure not to have my security detail or public relations release a statement to my peers and followers that this happened.

Want to take some selfies? Go ahead. Maybe snoop on a few of my photos? Be my guest. You will be surprised at the amount of food pics I take before every meal and will fall in love with the quality of my 16mp camera =)

Want to text one of my friends pretending you're me? Ok. They'll never know. Oh wait...

Gee golly, what else. Hmm, want to browse my calendar or reminders? I'm sure you will find "Deposit $14,000 check that is located in my top drawer in my suite to X Bank using PIN# 30998."

Of which for whatever reason you would like to take a 1 week process in extraction and field operations, finger print lifts, lab work or replacement onto gummy bears, just to get into my phone, then be my guest. Because I guarantee you will find all of my secrets, classifieds, personal info, family accounts, schedule and whereabouts of our next move on ISIS, and whatever else info you are trying to get :)

You are guaranteed in finding all this top secret info and what not because I am not smart enough / my security detail doesn't require me to have a phone designed for all of this, or a phone alone to put this sh*t I would never put on a phone to begin with =)

___

Or maybe I'm a regular Joe Shmo, and you still want to spend countless man hours and preparation/efforts to place my print onto a gummy bear after tracking me down, a regular person, just to get into my phone, be my guest. I'll turn my head and make sure my phone doesn't get Activation Locked by Apple.

posted on 23 Apr 2015, 18:29

11. My1cent (Posts: 370; Member since: 30 Jan 2014)


"Worth the effort?" is much shorter, isn't it? lol

posted on 23 Apr 2015, 19:01

16. lyndon420 (Posts: 4649; Member since: 11 Jul 2012)


Could you rephrase that?

posted on 23 Apr 2015, 17:05

5. palmguy (Posts: 591; Member since: 22 Mar 2011)


Mission Impossible. Cue in song, DA DA dada...

posted on 23 Apr 2015, 17:30 5

6. jellmoo (Posts: 1735; Member since: 31 Oct 2011)


Well, good luck with that. My actual print only works about 40% of the time on my Note 4, I think a gummy bear will take hundreds of attempts for somebody to get my dog pictures and crappy music collection.

posted on 23 Apr 2015, 17:37 3

7. Ordinary (Posts: 2374; Member since: 23 Apr 2015)


I have not yet met a person who touch a gummy bear and doesnt eat it.

posted on 23 Apr 2015, 18:11 2

8. NexusPhan (Posts: 625; Member since: 11 Jul 2013)


You didn't even read the article, did you?

posted on 23 Apr 2015, 18:16

9. My1cent (Posts: 370; Member since: 30 Jan 2014)


So.. we've never met before! lol

posted on 23 Apr 2015, 18:27

10. darkkjedii (Posts: 22443; Member since: 05 Feb 2011)


They still need your phone, keep em safe. Enjoy your tech

posted on 23 Apr 2015, 18:33

12. Derekjeter (Posts: 976; Member since: 27 Oct 2011)


Every hacker that's caught by the police should be shot and killed. One of those a-holes stole my credit info and spent close to $4,000 in 15 minutes. I served 30 days In county for beating up a 19 year old hacker that moved in next door and was stealing everyone's Internet and had already stolen one neighbors credit info. I hope they all die.

posted on 23 Apr 2015, 19:07 1

17. lyndon420 (Posts: 4649; Member since: 11 Jul 2012)


Wow...that's harsh. That happened to me, but I would have been happy with breaking all his ribs so every breath would remind him of how much he f**ked up :)

posted on 23 Apr 2015, 20:53

20. Derekjeter (Posts: 976; Member since: 27 Oct 2011)


I broke a rib, nose, right wrist and i wanted to do that thing where you make him put his mouth on the sidewalk edge and stomp on hes head to break hes jaw, you know like that movie American History X, but my wife stopped me before the cops got there. He was arrested after he was out of the hospital.

posted on 23 Apr 2015, 18:37

13. My1cent (Posts: 370; Member since: 30 Jan 2014)


The most important question is, "Is it worth the effort?"

posted on 23 Apr 2015, 21:08

22. gaming64 (unregistered)


Its worth the stupidity

posted on 23 Apr 2015, 18:45

14. Scott93274 (Posts: 5130; Member since: 06 Aug 2013)


Well, I suppose that it's a good thing that Google opted to go without a finger print scanner on the Nexus 6 after all.

posted on 23 Apr 2015, 18:59

15. joey_sfb (Posts: 6116; Member since: 29 Mar 2012)


I never bother using the finger print on any of my Samsung devices.

I can change my password but not my finger print so its really a security risk if data sensitive or financial services start using them widely.

posted on 24 Apr 2015, 03:39

30. RoboticEngi (Posts: 839; Member since: 03 Dec 2014)


you got 10 fingers. And if they are stolen, you can still use a code. So what is the problem ?

posted on 23 Apr 2015, 19:40

18. romeo1 (Posts: 723; Member since: 06 Jan 2012)


That's the reason i don't want to use any kind of touch pay services. Nfc ok but no payment with my fingerprint.

posted on 23 Apr 2015, 20:30 1

19. azene (unregistered)


thats why sony dont have a smartphone with fingerprint scanner lol

posted on 23 Apr 2015, 21:08 1

23. gaming64 (unregistered)


Does anybody decapitate their gummy bears before eating it? I do! Sorry hackers.

posted on 23 Apr 2015, 22:13

25. MrElectrifyer (Posts: 3411; Member since: 21 Oct 2014)


I'll believe it when I see it. None of the current solutions are practical for a thief unless they get a hold of your device and run away with it, but then you aren't doing any phishy transactions with your fingerprint 'cause your device is gone...

posted on 24 Apr 2015, 00:35 1

26. quakan (Posts: 1385; Member since: 02 Mar 2011)


I knew those gummy bears were up to no good. Stuffed in those bags...looking delicious...trying to tempt us for years. This is the moment they've been waiting for. Only way to stop these sneaky gummy spies is to devour them all. We won't take this without a fight!

posted on 24 Apr 2015, 02:49

27. ShenAlJoker (Posts: 113; Member since: 19 Jul 2013)


Then the hacker need to have our phone with them or a malicious app in our phone in order to do this no?

posted on 24 Apr 2015, 03:24

28. RGreen (Posts: 75; Member since: 06 Jul 2012)


Got to love it

posted on 24 Apr 2015, 03:38

29. RoboticEngi (Posts: 839; Member since: 03 Dec 2014)


First problem with all this. They must put software on a phone they dont have.......

Want to comment? Please login or register.

Latest stories