Samsung S5 fingerprint flaw exposed

[Victorious Secret]

 

 

 

Whether this is Samsungs or Googles fault, its a pretty massive one that allows a hacker to grab your fingerprint data before it even enters the secured memory that it should be in. I'd argue that data like this should be secured start to finish, all the time, why its like this baffles me. Since this is something that can affect far more phones, lets hope they address it soon. 

 

 

Android phones typically store sensitive data such as fingerprint information in a walled-off area of memory known as the Trusted Zone. 

However, Yulong Zhang and Tao Wei found it was possible to grab identification data before it is locked away in the secure area. This method of stealing data was available on all phones running version 5.0 or older versions of Android provided the attacker got high level access to a phone. 

They also found that on Samsung Galaxy S5 phones, attackers did not need this deep access to a phone. Instead, they said, just getting access to the gadget's memory could reveal finger scan data. 

Using this information an attacker could make a fake lock screen that makes victims believe they are swiping to unlock a phone when they are actually authorising a payment. 

In addition, they found, it was possible for attackers to upload their own fingerprints as devices did not keep good records of how many prints were being used on each device.

 

 

http://www.bbc.com/news/technology-32429477

[Sauron]

I always considered biometric security a gimmick, especially when people have been able to grab Merkel's fingerprints from an electoral poster. Long alphanumeric passwords are still the most secure way to go about things and the only thing one should be using if s/he has sensitive data to protect.

[UltraNeonGaming]

Makes me wonder if putting multiple fingerprints on my S6 is a bad thing to do

[paprikman]

Hackers are probably the only men, interested in me, especially in my fingerprints.

[Kyuubixchidori]

What's scary is the spoofing payments. Could you imagine 10$ being pulled out of your account every time you unlocked your phone? If you don't have payment notifications, it may be a few days before you notice. Which can be a couple hundred unlocks. Scary stuff.

Says it needs high level access. So rooted phones are at risk? If so this is a big deal but blown out of proportion, making everyone think they are at risk

[ShadowCaptain]

you had one job

[simson0606]

What's scary is the spoofing payments. Could you imagine 10$ being pulled out of your account every time you unlocked your phone? If you don't have payment notifications, it may be a few days before you notice. Which can be a couple hundred unlocks. Scary stuff.

Says it needs high level access. So rooted phones are at risk? If so this is a big deal but blown out of proportion, making everyone think they are at risk

but rooting disables samsung pay so you cannot pay (or are there more payment apps? i'm not familiar with it, i'm on ios)

[Kyuubixchidori]

but rooting disables samsung pay so you cannot pay (or are there more payment apps? i'm not familiar with it, i'm on ios)

Honestly the fingerprint scanner is why I want to try iOS. They so far done it so much better. The security protects you from stores with crappy protection

[LAwLz]

I always considered biometric security a gimmick, especially when people have been able to grab Merkel's fingerprints from an electoral poster. Long alphanumeric passwords are still the most secure way to go about things and the only thing one should be using if s/he has sensitive data to protect.

You're 100% correct in saying it's a gimmick. Fingerprints is one of the stupidest ways to handle security ever to exist, and it will forever be that way. The idea is fundamentally flawed because you can never change it and you leave your "password" on everything you touch. You're trading security for convenience, so don't get surprised when it one day comes and bites you in the ass.

Remember, if this exploit has been used in the wild then the attacker will forever have access to every single account you got protected with your fingerprint. 1 single exploit and you will forever be unsafe. The same goes for any fingerprint scanner (including the Galaxy S 6, HTC One MAX and iPhones).

 

 

 

Says it needs high level access. So rooted phones are at risk? If so this is a big deal but blown out of proportion, making everyone think they are at risk

The article is pretty poorly written but what I think they mean is:

A flaw in Android itself makes it possible to get the data on any phone with a fingerprint scanner and secure zone for storing it. if you got root.

On the Galaxy S 5 they didn't even need root to get the data.

In both scenarios the attacker has to install a Trojan horse though.

[simson0606]

Honestly the fingerprint scanner is why I want to try iOS. They so far done it so much better. The security protects you from stores with crappy protection

i absolutely love it on my phone, although it makes it too easy sometimes, i accidentally paid for an in-app purchase because i wanted to press the home button <_<  but i got my money back via a refund (the whole damn 80 cents )

[Kyuubixchidori]

You're 100% correct in saying it's a gimmick. Fingerprints is one of the stupidest ways to handle security ever to exist, and it will forever be that way. The idea is fundamentally flawed because you can never change it and you leave your "password" on everything you touch. You're trading security for convenience, so don't get surprised when it one day comes and bites you in the ass.

Remember, if this exploit has been used in the wild then the attacker will forever have access to every single account you got protected with your fingerprint. 1 single exploit and you will forever be unsafe. The same goes for any fingerprint scanner (including the Galaxy S 6, HTC One MAX and iPhones).

 

 

 

The article is pretty poorly written but what I think they mean is:

A flaw in Android itself makes it possible to get the data on any phone with a fingerprint scanner and secure zone for storing it. if you got root.

On the Galaxy S 5 they didn't even need root to get the data.

In both scenarios the attacker has to install a Trojan horse though.

Oh shit really? I thought it wasn't a huge deal because when you root you know your exposing yourself. But if you don't need root, that's a huge deal. And for the Trojan, there's so many sketchy copy cat games on android, wouldn't be difficult at all

[virtualTune]

Good thing mine doesn't work anymore then...

[Jade]

Honestly the fingerprint scanner is why I want to try iOS. They so far done it so much better. The security protects you from stores with crappy protection

Also removes the ability to "forget" your password in the event you become subject to investigation.

[silberdrachi]

The article is pretty poorly written but what I think they mean is:

A flaw in Android itself makes it possible to get the data on any phone with a fingerprint scanner and secure zone for storing it. if you got root.

On the Galaxy S 5 they didn't even need root to get the data.

In both scenarios the attacker has to install a Trojan horse though.

 

And a Trojan that would require the user to grant it security rights relatively recently before you swipe your finger. Most of the time when you grant admin rights to an app you only grant them for a specific time period. (I think my default was 5 minutes and i haven't touched it)

 

All in all, an unlikely actual security risk (outside of the s5 i mean), but a demonstrable flaw that should be fixed.

 

I wonder if this will affect the S6 too, because it sounds like they completely redesigned the sensor and the systems behind it.

[Sauron]

Honestly the fingerprint scanner is why I want to try iOS. They so far done it so much better. The security protects you from stores with crappy protection

 

Nope, it's much easier to get your fingerprint than to guess your password if you know what you're doing.

[TroubleKlef]

If one wants to track down my fingerprint on an empty water bottle I threw away in a trash bin 2 weeks ago and then proceed to track down my iPhone and somehow thieve it away then bravo. A whole lot of work just to see my Angry Birds high score. Biometric sensors are a great combination of security and convenience. I'm glad Samsung has improved the S6 sensor because the S5 was total shit.

[RexinOridle]

I don't even use any fingerprint scanner on any phone. Half of the time, it doesn't work 100% of the time. If I have something on my finger, or wet / sweat, it just doesn't work. Rather enter password every single time.

[TheMidnightNarwhal]

I always considered biometric security a gimmick, especially when people have been able to grab Merkel's fingerprints from an electoral poster. Long alphanumeric passwords are still the most secure way to go about things and the only thing one should be using if s/he has sensitive data to protect.

 

Actually the most secure thing would be a combination of both.

[Sauron]

Actually the most secure thing would be a combination of both.

 

Yes and no, because by that logic you'd be adding infinite layers of passwords and other measures. Of course two passwords are more secure than one, and a longer password is safer than a shorter one. Does that mean you should be using a password that occupies a terabyte of data (assuming you could even come up with a way to remember it)? And again, if someone wanted access to your data they'd manage to get your fingerprints much sooner and with more ease than your password, so it would be sort of useless.

 

-edit-

Look at the second one

[LAwLz]

Actually the most secure thing would be a combination of both.

I think the better option is to have your fingerprint as your username, and a standard password as your password.

[NickTheMajin]

I don't even use any fingerprint scanner on any phone. Half of the time, it doesn't work 100% of the time. If I have something on my finger, or wet / sweat, it just doesn't work. Rather enter password every single time.

 

You'd use it if you had an iPhone. I've never had it not immediately work unless my finger was soaked. Most of the time my phone is unlocked before my phone is out of my pocket. 

[RexinOridle]

You'd use it if you had an iPhone. I've never had it not immediately work unless my finger was soaked. Most of the time my phone is unlocked before my phone is out of my pocket. 

 

Surprisingly, and most unfortunately, I have the 5S and had S5. Exact same problem with Luke.

[Mew]

This isn't really a problem on the s5 because the fingerprint sensor pretty much never works