Thanks to biometric security features like fingerprint scanners, smartphone users can keep their gadgets safe with a completely unique print instead of relying on PIN codes or passwords. Or so we thought. But, it turns out hackers can actually steal fingerprint data right off some Android phones, and it's not even that difficult.
Most phone manufacturers try to keep your fingerprint data safe by locking it up in a separate and secure part of your phone. That's all well and good, but it turns out hackers can get to it before it's even stored in that security vault on certain Android phones, according to security firm FireEye.
The issue appears startlingly straightforward: an attacker could focus on collecting data coming from the Android devices’ fingerprint sensors rather than trying to break into the trusted zone, according to Wei and Zhang, who are presenting their findings at RSA Conference tomorrow. Any hacker who can acquire user-level access and can run a program as root, the lowest level of access on computers and smartphones, can easily collect fingerprint information from the affected Android phones, they said. On the Samsung Galaxy S5, they wouldn’t need to go as deep, with malware needing only system-level access.
So, instead of breaking into the secure part of your phone to steal stored data, the hacker can actually just read your fingerprint directly from the scanner. They could then store that information and use it to break into your phone later on.