Hackers can remotely lift fingerprints from Android devices, but not Apple's Touch ID

Hackers can remotely lift fingerprints from Android devices, but not Apple's Touch ID
The annual Black Hat Security Conference offers a chance for hackers and security gurus to gather and share their latest finds. With a number of new smartphones having been announced over the past week and more on the way very shortly, Black Hat might have slipped under your radar. For those taking a deep interest in digital security and privacy, however, it tends to be a rather engrossing few days. Today, it has been revealed that the Android fingerprint framework is potentially susceptible to myriad hacks, one of which can bypass fingerprint-authenticated payment systems. Tested and workable on certain Android devices, the series of vulnerabilities outlined did not, and do not affect Apple's Touch ID system. 

Since fingerprint scanners are already being used to authenticate payments, the idea that a hacker could bypass this digital lock-and-key is quite a scary one. But that's not the worst of it. Demoed by researchers Tao Wei and Yulong Zhang, a fingerprint sensor spying attack could remotely steal actual fingerprint data, with the likes of the HTC One Max and Samsung Galaxy S5 both said to have been caught out by this particular pleasantry. 

Touch ID, conversely, doesn't divulge vital fingerprint info without a crypto key. So in the event that a hacker does get access to Touch ID, the crucial details remain on lock-down as they should be. 

The good news, particularly if you're an Android user, is that OEMs are aware of this flaw, and a large portion have already delivered remedial updates and fixes without too much fanfare. Suffice to say, if you keep up-to-date, you'll probably be okay. 

Still, the severity of these hacks will do precious little to calm those skeptical about personal data and security. Samsung Pay's launch is imminent now, with other similar services to follow, but given the noted vulnerabilities and fledgling nature of mobile payments in general, it's likely to be greeted with a fair dose of resistance. 

Thoughts?

source: Black Hat via Engadget

FEATURED VIDEO

56 Comments

1. willytbk

Posts: 252; Member since: Aug 15, 2012

WOHOOOOO....that's scary

14. Mxyzptlk unregistered

Can't wait to see how they explain this one.

27. engineer-1701d unregistered

for the last couple months now i am thinking about wp or tizen more and more google is but having too many devices to update and carriers its better to go the other route

28. Scott93274

Posts: 6040; Member since: Aug 06, 2013

The last major issue with Android about the vulnerability with Hangouts was actually fixed by Google before the vulnerability made news. The problem you have is depending on a device that is dependent on the OEM to push out the updates in a respectable time frame. If you happen to go with a Nexus device that has now been promised weekly security updates for a minimum of 2 years, then I think that's a better alternative than another platform. But it's your call.

35. vincelongman

Posts: 5745; Member since: Feb 10, 2013

Its fixed in Android M anyway

42. AlikMalix unregistered

Vince, not trolling, but M isn't really released yet, and when it is, wouldn't most people be about 8 months out before they get it?

46. vincelongman

Posts: 5745; Member since: Feb 10, 2013

M is 5.2, a small update compared to Lollipop 5.0 Probably be ~2-5 months until they get updates Also they could update their 5.1.1 build with the patch from M E.g. like what's happening with the MMS hack fix (so far only Samsung and Google have, but I imagine others will follow soon) Realistically, there's a basically no chance you will get hacked anyway I mean there's no reason some hacker would want your fingerprint, unless your the US president or something like that

47. AlikMalix unregistered

So vince, why is it if apple is involved it's a "horrible situation, apple users are stupid, you should never use iOS, etc". But when android has this, and stagefright, and whatever else - "oh it's ok, I'm not that important to hack"? Double standard much. At the same time, you point out that "M" fixed that already (past tense) when it will be months upon months in the future and for some Never! but same thing happens to Apple - two weeks and virtually everyone is safe! Just another "android is superior" contradiction... Not directed at you, just pointing out overall hypocrisy...

50. vincelongman

Posts: 5745; Member since: Feb 10, 2013

> Not directed at you, just pointing out overall hypocrisy... Then you replying to me? Reply to someone who is being hypocritical

51. AlikMalix unregistered

Keeping within the context of the sub-thread...

54. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

He was keeping the conversation going nothing more.

37. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Biometric authentication does not add value to me so I am not doing to use it regardless of platforms. When introduce in windows 7 notebook at work, my answers was no! Smart devices still a No! Think about it how could I change my biometric data if it has been compromised by hacker. Password or 2 factors can simple change the password and security key.

56. james2841

Posts: 167; Member since: Dec 10, 2014

The OEMs should have made the fingerprint sensor raw data go through a hardware encryption chip before going to the processer but they had it connected directly and they paid the price for it.

57. james2841

Posts: 167; Member since: Dec 10, 2014

And samsung and htc should have made the phone store a salted hash of the fingerprint data and when the phone needs the fingerprint match data then it will send the hash to the encryped chip and the chip will tell whether it matches and not the processer. tl:dr it is samsung's and htc's fault that their phones were vulnerable and not google's fault.

31. strudelz100

Posts: 646; Member since: Aug 20, 2014

Theres far less things people can do with your fingerprints than they can do with your financial information which is already widely available across black markets. It seems scary, but stuff like that happens in Hollywood. The Feds still beg Apple to unlock devices even when they have physical access. You hear no such complaints about Android devices. For obvious reasons.

2. Scott93274

Posts: 6040; Member since: Aug 06, 2013

LOL, first PhoneArena posts the article about Apple fans loving Android, then they post this so that thoes who like Apple can have their fun as well.

4. AlikMalix unregistered

The video was funny, this is NOT!... this is a security problem - the same one that Haters tried to crusify Apple for when they intruduced Touch ID and now it's been proven Best in usability and security and ironically Android OEMS are now the ones that have the problem that Haters tried to pin on Apple - where are those people?

5. Scott93274

Posts: 6040; Member since: Aug 06, 2013

I'm sorry, it is not funny, but I can laugh because the phone I am planning to get (Moto X Style) was criticized for not having a fingerprint scanner by a bunch of folk that think they know what's best for everyone and then this happens.

10. AlikMalix unregistered

I see... :-)

15. Mxyzptlk unregistered

We get it Scott. You're getting the new Moto X. Should I give you a cookie for it now or after your wedding reception for the phone?

17. AlikMalix unregistered

Mxy, why do you have to be such a jerk. I think MoroX is a great phone - I was really impressed by MotoX from the beginning and the very lite android that comes with it. This is the phone I recommend to those who want to switch from iOS and try android.

19. Scott93274

Posts: 6040; Member since: Aug 06, 2013

He's a troll. That's all he does on this site. Google, Motorola, Blackberry articles have him trolling all over them. I'm getting tired of the harassment. I've asked him to stop on many occasions but this is the crap he keeps posting.

23. Mxyzptlk unregistered

You're getting tired of the harassment? You're full of s- how many times have you and other android fans insult iOS fans and it's devices? You've done it many times including calling me many insulting names that I overlook because you're just an anonymous face behind an avatar that makes me think you're crazy. Don't try and act like you're innocent.

25. Scott93274

Posts: 6040; Member since: Aug 06, 2013

How many times have I told you I would stop when you started being respectful to other people??? Many many times??? But you can't/won't quit. You're the most disliked person on this site because you treat everyone else like crap.

26. Scott93274

Posts: 6040; Member since: Aug 06, 2013

Here's a quote of mine from 7 hours ago "Well, did you realize that you wouldn't have such an issue with flies if you would stop being such a sh*t all the time? I've told you once and I'll tell you again, Stop trolling Motorola and Google and I'll stop trolling you. Hell, I'd even stick up for you if other people talk crap." And you replied "I don't care about you not leaving me alone. If I wasn't entertained by your pathetic comments and your mad Motorola love, I wouldn't be responding to you. Checkmate." Stop acting like I haven't tried to be reasonable with you.

22. Mxyzptlk unregistered

It's a step in the right direction. Just call it a precautionary measure of interest. As for the comment that is mostly at Scott since he continues to harass me.

29. AlikMalix unregistered

You two guys are funny... Probably be good friends in real life if it wasn't for platform wars...

33. strudelz100

Posts: 646; Member since: Aug 20, 2014

SO LAME.

53. uggman

Posts: 58; Member since: Feb 01, 2013

I think is already prooven that there is no such thing as "security", both apple and android are flawed and insecure, you want security get a blackberry thats what heads of states use, i think security will be the next business trend as its becoming more and more main stream.

3. AlikMalix unregistered

Wait, where are the 50+ posts? You guys think that by ignoring these android vulnerabilities including StageFright, and Google Maps Ads, HTC UI Ads, Restoring Android does not erase personal information, LG updating phones without your consent, and so on, and on? Do you really think ignoring these articles make Android so much better security wise?

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.