Researchers: Attackers can steal fingerprints Galaxy S5

The fingerprint sensor on the Galaxy S5 and some other Android smartphones can be exploited. Attackers can read fingerprints from the sensor, researchers found. The vulnerability is only present in Android versions older than Lollipop.

On Android smartphones, the fingerprint is stored in a secure zone, which cannot be read from the kernel and should therefore be safe from attackers. However, they can target the input of the sensor, provided versions older than Android 5.0 are used, two security researchers discovered. They will present their findings this week at the RSA Conference in San Francisco.

That way, the attackers still can’t reach the encrypted zone, but they can read the input from the sensor the moment a user puts their finger on the sensor. The problem can be abused on Samsung’s Galaxy S5, among other things, Forbes writes. A user must then gain system-level access to an Android phone: that is one step lower than root, but higher than ‘normal’ access for applications. On a number of other Android phones, which Forbes does not mention by name, an attacker must have root access. An attacker could gain that access by exploiting security vulnerabilities in Android.

Incidentally, the problem is easy to work around: users need to update to Android 5.0 Lollipop. With that Android version, the problem is gone, the researchers say. Android 5.0 is already available for the Galaxy S5; it is unclear whether this also applies to the other vulnerable devices, as the researchers do not name them. Incidentally, the Galaxy S6 and S6 Edge also have a fingerprint scanner, but that phone comes with Android 5.0 and is therefore not vulnerable.