Android fingerprint readers may be easier to hack than Touch ID
There's nothing like a Black Hat Security Conference to leave you feeling exposed and vulnerable. Today's compromise? Fingerprint readers. Security researchers Tao Wei and Yulong Zhang have exposed some pretty significant flaws in the Android fingerprint framework. The duo outlined a couple of different attacks -- including malware that can bypass fingerprint-authenticated payment systems and various backdoor attacks -- but the biggest offender was a "fingerprint sensor spying attack" that could remotely lift prints from affected phones. Researchers found the attack viable on both the HTC One Max and the Samsung Galaxy S5, but not on iPhone or other Touch ID devices.
The security discrepancy is pretty huge. Affected devices simply don't do enough to lock down their fingerprint scanners, often leaving them at the mercy of higher level system privileges. Apple's Touch ID, on the other hand, won't give up fingerprint data without a crypto key, Zhang told ZDNet -- even if an attacker has direct access to the fingerprint sensor.
The exploit is particularly troubling in light of the kind of information at stake: passwords can be changed if your credentials are compromised, but you can't change your fingerprints. Thankfully, device manufacturers are on the case: notified vendors have already issued patches for the exploit. Keep your device updated and you should be fine.