U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers can remotely steal fingerprints from Android devices

Researchers from FireEye have revealed that it is possible to attack Android smartphone to remotely steal user’s fingerprints on a “large scale.” Security experts have often expressed concerns regarding the fingerprint management implemented by the principal mobile vendors. Hackers have demonstrated that it is not difficult to trigger vulnerabilities inside systems that manage fingerprints in […]

fingerprint recognition systems MasterPrints

Researchers from FireEye have revealed that it is possible to attack Android smartphone to remotely steal user’s fingerprints on a “large scale.”

Security experts have often expressed concerns regarding the fingerprint management implemented by the principal mobile vendors. Hackers have demonstrated that it is not difficult to trigger vulnerabilities inside systems that manage fingerprints in order to bypass authentication mechanisms, in April 2015 a group of security researchers at FireEye have discovered a vulnerability in the Samsung Galaxy S5 that allows hackers to clone fingerprints.

Now security experts from FireEye have discovered four new methods to hack Android devices and extract user fingerprints remotely.

The researchers Tao Wei and Yulong Zhang presented the findings of their hack in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference last week.

The techniques are very insidious because the victim will never notice the disconcerting theft of its fingerprints.

Cognitive Fingerprints authentication

The researchers dubbed the attack “Fingerprint Sensor Spying attack” and it could allow attackers to “remotely harvest fingerprints in a large scale from the handset of the major manufacturers including HTC, Samsung and Huawei.

The experts avoided to release  any “proof-of-concept” for obvious reason.
The targets of the attack are Android devices equipped with Fingerprint Sensors that allow users to authenticate themselves by simply touching the display of their smartphone.

Let’s note that Google doesn’t yet officially support the authentication mechanism based on fingerprints based on its mobile operating system, but the company will soon implement the support in the next release Android M.

The researchers tested their attack on the HTC One Max and Samsung’s Galaxy S5, the succeeded to steal a fingerprint image from the device due to the lack of a proper implementation of a locking mechanism for the fingerprint sensor.

I have explained several times the risks related to a wrong implementation of biometric authentication, the theft of a biometric data like fingerprints would be more dangerous compared the theft of a stolen password.

Users can reset their compromised password, but cannot change fingerprints neither the iris in the case of data breach.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” said Zhang.

Fortunately, the security issue is quite easy to fix, for example by encrypting fingerprint data on Android devices, and a number of vendors are already working to a security update.

The measure is already adopted by Apple iOS that encrypts data acquired by the Touch ID sensor. The experts explained that Apple iOS is “quite secure” because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.

Pierluigi Paganini

(Security Affairs – Android, fingerprints)