Hackers can remotely lift fingerprints from Android devices, but not Apple's Touch ID
The annual Black Hat Security Conference offers a chance for hackers and security gurus to gather and share their latest finds. With a number of new smartphones having been announced over the past week and more on the way very shortly, Black Hat might have slipped under your radar. For those taking a deep interest in digital security and privacy, however, it tends to be a rather engrossing few days. Today, it has been revealed that the Android fingerprint framework is potentially susceptible to myriad hacks, one of which can bypass fingerprint-authenticated payment systems. Tested and workable on certain Android devices, the series of vulnerabilities outlined did not, and do not affect Apple's Touch ID system.
Since fingerprint scanners are already being used to authenticate payments, the idea that a hacker could bypass this digital lock-and-key is quite a scary one. But that's not the worst of it. Demoed by researchers Tao Wei and Yulong Zhang, a fingerprint sensor spying attack could remotely steal actual fingerprint data, with the likes of the HTC One Max and Samsung Galaxy S5 both said to have been caught out by this particular pleasantry.
Touch ID, conversely, doesn't divulge vital fingerprint info without a crypto key. So in the event that a hacker does get access to Touch ID, the crucial details remain on lock-down as they should be.
The good news, particularly if you're an Android user, is that OEMs are aware of this flaw, and a large portion have already delivered remedial updates and fixes without too much fanfare. Suffice to say, if you keep up-to-date, you'll probably be okay.
Still, the severity of these hacks will do precious little to calm those skeptical about personal data and security. Samsung Pay's launch is imminent now, with other similar services to follow, but given the noted vulnerabilities and fledgling nature of mobile payments in general, it's likely to be greeted with a fair dose of resistance.
Thoughts?
Things that are NOT allowed: