Pull My Finger...print

By Michael Soto ·

It appears yet another Android vulnerability has been identified that is worthy of mention. As you may know, a few days ago at the Black Hat conference, new methods to exfiltrate fingerprint data from Android devices were revealed.

Before you hit the panic button, it is important to note the vulnerability is limited to Android devices with fingerprint readers on them. Currently, the list is short and is comprised of devices from only a few different carriers.

How does the attack work?  A fingerprint image, from an affected device can be acquired and exfiltrated without the user knowing. This is possible as device makers failed to properly secure the sensor making it easier for attackers. Now imagine if the device is compromised (e.g. jailbroken or rooted), you’re probably at even greater risk. When the attack is executed, the fingerprint sensor can be used, without notice, to collect all fingerprint data.

It is important to note that since Google doesn’t support fingerprint readers via OS APIs for versions of Android prior to Android M, each manufacturer had to write the code to support it. As a result, there are inconsistencies with the code and security implemented.

The implications of another person having your fingerprint data would affect the rest of your life, since fingerprints aren’t as easy to change as passwords. Imagine the damage that can be done with your fingerprint; with the advent of e-payment applications and credit card information being stored on your device, it is alarming to say the least.

But, there is a bit of good news amongst all the doom and gloom; device manufacturers have released patches to fix the vulnerability. Check with your carrier and/or device manufacturer for the availability of these patches and make sure you apply them to your device(s) as soon as possible.

What can I do going forward? Best practices suggest you keep your device(s) up-to-date with the latest security patches to mitigate the risk against new threats.  At Optiv, we recommend that our clients who support mobile devices employ the use of security software to protect corporate data against known and emerging threats.