From unlocking a phone to paying for a purchase, our fingerprints have now evolved into more than just a way to identify ourselves. But at this year’s Black Hat USA conference, an annual global information security event series, FireEye researcher Yulong Zhang expressed some concerns about the growing popularity biometrics technology, particularly when it comes to fingerprints.
From unlocking a phone to paying for a purchase, our fingerprints have now evolved into more than just a way to identify ourselves.
Unlike the ever-growing number of passwords consumers are required to keep track of, being able to utilize a fingerprint scanner as a security gateway eliminates the worry of both remembering or possibly forgetting a password.
Using fingerprints as a way to verify a transaction or download an app may be ideal for consumers, but is it truly a secure option?
Many security experts think not.
At this year’s Black Hat USA conference, an annual global information security event series, FireEye researcher Yulong Zhang expressed some concerns about the growing popularity of biometrics technology, particularly when it comes to fingerprints, The Washington Post reported.
“If you leak a password, you can just change it; if you leak a fingerprint, it’s lost for your whole life,” Zhang said during presentation at the Black Hat conference held in Las Vegas earlier this month.
Zhang and a team of other security experts at FireEye uncovered major fingerprint security vulnerabilities on various Android devices, such as Samsung and HTC, which were storing data from fingerprint scans, essentially making them easily accessible to cybercriminals.
“Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image,” Zhang told ZDNet.
In one example, HTC’s One Max mobile device was storing fingerprint scans as unencrypted image files which could then be stolen and read through unauthorized processes or apps. The HTC One Max, as well as Samsing’s Galaxy S5, were identified as making fingerprint scans increasingly more vulnerable by not isolating the technology related to the fingerprint scanner from the rest of the devices’ operations.
In the presentation, the FireEye researchers detailed four methods of attack on the Android system. One of the more notable methods would involve remotely hacking the sensor and stealing any fingerprint that is in fact uncovered.
The researchers termed this the “fingerprint sensor spying attack,” and it entails a scenario in which hackers could continuously use fingerprint data in just about any manner.
According to the research report, “Fingerprints On Mobile Devices: Abusing and Leaking,” the phone manufacturers have since issued security patches to address the findings, but it still sheds a cautionary light on the potential and critical flaws of fingerprint security.
While the use of fingerprint scanning grows in popularity, within four years, according to some estimates, more than half of smartphones shipped will sport fingerprint sensors.
Not only are fingerprints unchangeable, which unlike PINs and passwords could make them a riskier security option, they are also already very public. Fingerprints are left on almost everything you touch or come into contact with, which is a concern when this same identifier acts as a security measure.
Researchers have also been able to copy fingerprints based on public photos, which explains why some security experts are weary of them being used as an authentication method, The Washington Post reported.
As we have learned from recent headlines, fingerprints are far from exempt of being compromised by data breaches.
The massive attacks on the U.S. Office of Personnel Management resulted in the exposure of more than 1 million fingerprints, along with over 21 million Social Security numbers and 19.7 million forms of data.
Security vulnerabilities remain far-reaching and the general security concerns surrounding fingerprint scanners are sure to evolve as quickly as the technology itself.