RSA 2015 Malware can snaffle fingerprints used to unlock Samsung Galaxy S5 smartphones thanks to a security blunder, researchers claim.
The vulnerabilities, due to be discussed at the RSA security conference in San Francisco this week, may be present in non-Samsung Android mobiles, too.
Today's smartphones recognize their owners' fingerprints so they can be unlocked and authorize transactions. The scanned print is compared against a copy held within the smartphone's TrustZone, a secure area of the device walled off from apps and Android.
TrustZone is provided by the phone's ARM-compatible processor: it is a gatekeeper that separates sensitive code and data – such as the fingerprint checking software – from the rest of the mobile, including the operating system, its kernel, and any malware that may be lurking.
When you press your finger against the device, the TrustZone code accesses the sensor, checks the scan, and tells Android whether or not the print is recognized. Only the TrustZone code should be able to read off the sensor.
While this sounds great in theory, the implementations of secured environments are never perfect.
Yulong Zhang and Tao Wei of FireEye say they have found a way to snatch the fingerprint scan when the user presses his or her finger against the phone: apparently, software running with system-level privileges and the TrustZone code both have access to the fingerprint sensor in the Samsung Galaxy S5.
This means malware that gains system permissions can read fingerprints straight off the sensor, we're told. A miscreant could present a fake lock screen, read the fingerprint sensor when the victim tries to unlock their device, and snatch a copy of the prints.
"If the attacker can break the kernel, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time," Zhang told infosec journalist Tom Fox-Brewster this week.
"Every time you touch the fingerprint sensor, the attacker can steal your fingerprint."
This data can be used to authorize a transaction, it's claimed. Zhang and Wei are due to present their findings at the RSA conference on Friday, and will reveal other vulnerabilities, too. You can find the slides here [PDF] and a summary here, which notes:
We will discuss the security issues of current designs, including the confused authorization attack, TrustZone vulnerabilities, pre-embedded fingerprint backdoors, and fingerprint hash collision attacks. We will also show live demos, such as hijacking PayPal protected by fingerprints.
Samsung is investigating the pair's claims. A spokesman told The Register: "Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims."
Security weaknesses in the TouchID fingerprint system in Apple iPhones have been known about for some years. These largely revolve around failures to detect counterfeit fingerprints made from Gummi Bears and similar materials. ®