Galaxy S5 fingerprint sensor hacked
Hackers could steal data from the fingerprint reader on the Samsung Galaxy S5 according to new researchGetty Images

Users of the Samsung Galaxy S5 could have their fingerprints stolen by hackers and used to make payments or access sensitive data, researchers have shown.

In a presentation entitled To Swipe or Not to Swipe: A Challenge for Your Fingers which will be given at the RSA conference in San Francisco on Friday (24 April), FireEye researchers Tao Wei and Yulong Zhang will discuss and demonstrate the security problems with using your fingerprint as a method of authentication on your smartphone.

Wei and Zhang will specifically show just how easy it is to steal fingerprint data from a Galaxy S5 smartphone which has a fingerprint reader integrated into the home button.

In its promotional material for the Galaxy S5, Samsung says that the fingerprint reader means that security has been "upgraded and personalised" with the company saying that it stores the biometric data in a locked-down part of the device, separate from the rest of your information to keep it safe.

Samsung says: "The information is comprehensively protected throughout the storage and the processing."

Stolen fingerprints

This statement is now in serious doubt however, after the researchers revealed details of their talk ahead of presenting it at the RSA conference on Friday, 24 April.

Speaking to Forbes, the researchers said that by simply monitoring the smartphone's fingerprint reader and grabbing any information as it is being sent to the "Trusted Execution Environment" where fingerprint data is stored, then they will be able to collect all the information needed.

"If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored int he trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint," Zhang told Forbes. "You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want."

Samsung has said that it is investigating the claims but has so far not denied the validity of the FireEye research.

Biometric security such as fingerprint readers and iris scanners are seen as the future of security, but as the researchers' presentation will highlight, while traditional passwords can be reset, you cannot reset your fingerprint or iris.

Samsung allows Galaxy S5 users to authenticate PayPal payments using their fingerprints, highlighting just one of the issues should that data fall into the hands of hackers.

The only saving grace for Galaxy S5 users is that the newly unveiled security flaw does not work if you have updated your smartphone's software to Android 5.0 (Lollipop).

The fingerprint reader on the Galaxy S5 was previously shown to be vulnerable to spoofing in July 2014, when German researchers were able to use a dummy finger to gain access to the phone.

Biometrics

Samsung is just one of a growing number of smartphone and tablet manufacturers integrating biometric sensors into their devices. Apple's TouchID which is available on iPhones and iPads is the most well known fingerprint sensor but researchers have already shown that it is vulnerable to attack.

The FireEye researchers have not tested the flaw on other Android smartphones which have a fingerprint reader and may be running an earlier version of Android including the HTC One Max, Galaxy Note 4 and Note Edge and the Huawei Ascend Mate 7. FireEye says it believes the problem to be more widespread that just the Galaxy S5, but it has yet to confirm this.

The new Galaxy S6 and Galaxy S6 edge are unlikely to be affected however as they are sold with Android 5.0 already installed.