Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner

Gummy Bears can be used by hackers to make a counterfeit fingerprint to fool your scanner
According to a report published on Thursday, smartphone users who employ a device with a fingerprint scanner are in danger of having their fingerprints stolen from their handset. That could lead to financial and other transactions taking place without the approval of a phone's owner. When the user of a phone like the Samsung Galaxy S5 touches the fingerprint scanner, the print is compared to the one stored in the phone to see if there is a match. Yulong Zhang and Tao Wei of security firm FireEye say that they have discovered a way for hackers to obtain a phone user's fingerprint information whenever a fingerprint is being scanned on a handset.

In essence, a hacker could post a fake lock screen on a phone and while the phone owner thinks he is using his fingerprint to unlock the device, the hacker could really be stealing a copy of the user's fingerprint for future use. FireEye's Zhang says that every time the phone's owner touches the fingerprint sensor, his print can be stolen. A Stolen print can be used to authorize a transaction requiring verification, making this a potentially expensive problem.

With more and more handsets employing a fingerprint scanner, this could turn into a major issue. Zhang and Wei are giving a talk on Friday at the RSA Security conference in San Francisco and have released in advance some of the slides that they will use for their presentation. As one of the slides points out, if your password falls into the wrong hands, a new one can be created. But if your fingerprint falls into the wrong hands (so to speak), that is a problem that can last with you for the rest of your life.

The scary thing is that fingerprints can be taken from smooth surfaces like a glass or a touchscreen. Prints can even be extracted from a picture of a person waving his hand. Touch ID can be tricked into accepting counterfeit fingerprints made using Gummi Bears. Considering that Touch ID is an important part of verifying a user's identification when using Apple Pay, this vulnerability will need to be addressed by Apple as well as other companies offering a smartphone with a fingerprint scanner.

Consider a situation where you might think that you are merely swiping your finger on your phone's touchscreen in order to unlock it. In actuality, you might be authorizing the wire transfer of a large sum of money to an account that you are not familiar with. And instead of confusing users in order to get them to mistakenly approve a transaction, some hackers will embed false fingerprints into a user's account so that they can approve an illicit transaction over the unsuspecting victim's handset.

FireEye suggests that users stick to mobile device vendors that update often. Make sure that your phone is updated every time one is offered, and install apps from reliable sources. Lastly, if you are an enterprise or government user, seek out professional help to get protection from such hackers.


source: RSAConference via TheRegister

FEATURED VIDEO

29 Comments

1. hendog4385

Posts: 6; Member since: Dec 18, 2013

Good thing I ate all my gummi bears...lol

2. greyhulk

Posts: 184; Member since: Jun 30, 2010

In other news: Hackers can steal your wine glass and use scotch tape to lift your fingerprint and fool your scanner. Give me a break.

21. gaming64 unregistered

That's sci fi B.S.

24. techperson211

Posts: 1280; Member since: Feb 27, 2014

Not surprising cause if a phone has finger print scanner the more thieves will get interested in that device, they'll think that it has sensitive information such as credit cards info, bank account info etc.

3. Scott93274

Posts: 6040; Member since: Aug 06, 2013

Damn gummy bears, they're evil little bastards! I have a co-worker visiting in Europe and he's allegedly going to be bringing me back a bag of those sugar free Haribo gummy bears that absolutely obliterate your digestive track. I haven't figured out what I'm going to do with them just yet, probably offer them to people at work that bug the crap of of me.

4. Sauce5 unregistered

If (let's just scale up to what all this is practical in terms of) I was a secret agent, the President of the United States or President Putin, a CIA op, a data manager for a server firm, Bill Gates, Edward Snowden, or anyone else someone would want a fingerprint of, what is next. Let's see. Assuming every one of these high profile people I could be, what would you do with my fingerprint. Well...for starters, you can log into my phone and open the Facebook app to post a silly photo, maybe a whimsical status, which would obviously get deleted from a computer or what not using the same account. Want to steal my account? No big deal, go ahead. Oh noooo, my Facebook was hacked. I'll be sure not to have my security detail or public relations release a statement to my peers and followers that this happened. Want to take some selfies? Go ahead. Maybe snoop on a few of my photos? Be my guest. You will be surprised at the amount of food pics I take before every meal and will fall in love with the quality of my 16mp camera =) Want to text one of my friends pretending you're me? Ok. They'll never know. Oh wait... Gee golly, what else. Hmm, want to browse my calendar or reminders? I'm sure you will find "Deposit $14,000 check that is located in my top drawer in my suite to X Bank using PIN# 30998." Of which for whatever reason you would like to take a 1 week process in extraction and field operations, finger print lifts, lab work or replacement onto gummy bears, just to get into my phone, then be my guest. Because I guarantee you will find all of my secrets, classifieds, personal info, family accounts, schedule and whereabouts of our next move on ISIS, and whatever else info you are trying to get :) You are guaranteed in finding all this top secret info and what not because I am not smart enough / my security detail doesn't require me to have a phone designed for all of this, or a phone alone to put this sh*t I would never put on a phone to begin with =) ___ Or maybe I'm a regular Joe Shmo, and you still want to spend countless man hours and preparation/efforts to place my print onto a gummy bear after tracking me down, a regular person, just to get into my phone, be my guest. I'll turn my head and make sure my phone doesn't get Activation Locked by Apple.

11. My1cent

Posts: 370; Member since: Jan 30, 2014

"Worth the effort?" is much shorter, isn't it? lol

5. palmguy

Posts: 983; Member since: Mar 22, 2011

Mission Impossible. Cue in song, DA DA dada...

6. jellmoo

Posts: 2625; Member since: Oct 31, 2011

Well, good luck with that. My actual print only works about 40% of the time on my Note 4, I think a gummy bear will take hundreds of attempts for somebody to get my dog pictures and crappy music collection.

7. Ordinary

Posts: 2454; Member since: Apr 23, 2015

I have not yet met a person who touch a gummy bear and doesnt eat it.

8. NexusPhan

Posts: 632; Member since: Jul 11, 2013

You didn't even read the article, did you?

9. My1cent

Posts: 370; Member since: Jan 30, 2014

So.. we've never met before! lol

10. darkkjedii

Posts: 31310; Member since: Feb 05, 2011

They still need your phone, keep em safe. Enjoy your tech

12. Derekjeter

Posts: 1526; Member since: Oct 27, 2011

Every hacker that's caught by the police should be shot and killed. One of those a-holes stole my credit info and spent close to $4,000 in 15 minutes. I served 30 days In county for beating up a 19 year old hacker that moved in next door and was stealing everyone's Internet and had already stolen one neighbors credit info. I hope they all die.

13. My1cent

Posts: 370; Member since: Jan 30, 2014

The most important question is, "Is it worth the effort?"

22. gaming64 unregistered

Its worth the stupidity

14. Scott93274

Posts: 6040; Member since: Aug 06, 2013

Well, I suppose that it's a good thing that Google opted to go without a finger print scanner on the Nexus 6 after all.

15. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

I never bother using the finger print on any of my Samsung devices. I can change my password but not my finger print so its really a security risk if data sensitive or financial services start using them widely.

30. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

you got 10 fingers. And if they are stolen, you can still use a code. So what is the problem ?

18. romeo1

Posts: 816; Member since: Jan 06, 2012

That's the reason i don't want to use any kind of touch pay services. Nfc ok but no payment with my fingerprint.

19. azene unregistered

thats why sony dont have a smartphone with fingerprint scanner lol

23. gaming64 unregistered

Does anybody decapitate their gummy bears before eating it? I do! Sorry hackers.

25. MrElectrifyer

Posts: 3960; Member since: Oct 21, 2014

I'll believe it when I see it. None of the current solutions are practical for a thief unless they get a hold of your device and run away with it, but then you aren't doing any phishy transactions with your fingerprint 'cause your device is gone...

26. quakan

Posts: 1418; Member since: Mar 02, 2011

I knew those gummy bears were up to no good. Stuffed in those bags...looking delicious...trying to tempt us for years. This is the moment they've been waiting for. Only way to stop these sneaky gummy spies is to devour them all. We won't take this without a fight!

27. ShenAlJoker

Posts: 113; Member since: Jul 19, 2013

Then the hacker need to have our phone with them or a malicious app in our phone in order to do this no?

28. RGreen

Posts: 83; Member since: Jul 06, 2012

Got to love it

29. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

First problem with all this. They must put software on a phone they dont have.......

31. Tooluka

Posts: 66; Member since: Nov 27, 2014

As security specialists say "fingerprint is not a password, it's a login". You MUST add password when you use fingerprint auth.

32. _PHug_

Posts: 482; Member since: Oct 11, 2011

This can never happen, If a gummy bear touches my fingers it's getting eaten

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.