Maybe your fingerprint isn't so unique after all, at least not if you have a Samsung Galaxy S5. New research suggests it's possible for hackers to steal a user's fingerprint data right from their phone, effectively giving them control over a Galaxy S5 without a password.
Biometrics like fingerprint scanners, eye scanners and voice recognition technology have been touted as the solution to the ever-untrustworthy password. But Tao Wei and Yulong Zhang, researchers at the cybersecurity company FireEye, are planning to deliver a presentation at the RSA security conference in San Francisco Friday outlining findings that seem to indicate the contrary. Makers of the Galaxy S5 and other unnamed phones have tried, but failed, to compartmentalize fingerprint data in an encrypted secure zone, leaving incoming data vulnerable to interception, the researchers said.
“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang told Forbes magazine. “You can get the data, and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
A Samsung representative told Forbes the company is investigating the researchers' claims.