As they increasingly democratized on our smartphones, fingerprint readers are subjects of great interest for security researchers, especially the guys from FireEye who performed several tests on a series of Android devices including the Galaxy S5. Tests that proved that it is actually very easy to access biometric data before it reach the safety zone and create a copy of your digital fingerprints for future attacks.
Instead of focusing on the secure area of the device where your fingerprint is stored, hackers might as well steal the information directly from the biometric scanner. On Android, you just have to have a user level and then run a program through root and then duplicating the information. Moreover, in the case of the Galaxy S5, all you need is a user access.
This is what said the FireEye representative, Zhang Yulong, to Forbes:
If the attacker can break the kernel, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.
When your password is stolen, it is very easy to create a new one, however, when it comes to your fingerprint, the problem is quite different and could follow you throughout your life. Risks that are nevertheless limited because, again according FireEye, the problem seems to have disappeared with the Lollipop update.
However, although they do not mention names, researchers said this flaw may be present only for Samsung devices. Already aware of the problem, a Samsung representative said afterwards, by email to Forbes:
Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims.