As fingerprint authentication becomes more commonplace, two hackers have claimed that they have figured out how a compromised Android could be used to collect fingerprint data from unsuspecting users.
ZD Net reports that FireEye researchers Tao Wei and Yulong Zhang are set to speak at the Black Hat hacking conference in Las Vegas and outline how hackers could conceivably run code that will silently read fingerprints from the reader and send them back to the hackers. Meaning that prints could be used for identity theft, fraud and unlocking other data.
Apparently the threat occurs because print readers in existing Android handsets are not fully secure because they are only guarded by the “system” privilege and not the root user, making it easier to break in. ZD Net notes that if you have rooted and jailbroke your phone, you’re more at risk at it breaks down that already thin layer of security.
The good news is that the threat is broadly hypothetical at the moment: Rather than use the information for malicious means the hackers have instead alerted phone manufacturers and boasted about finding the exploit for the kudos amongst their peers. In any case, there are far fewer Android handsets that currently have fingerprint sensors than iPhones – which are broadly considered more secure because it encrypts fingerprint data.
Apparently the affected vendors – which includes HTC, Samsung and Huawei have all made patches since the hackers flagged up the problem.