At the RSA conference this week, security analysts Tao Wei and Yulong Zhang from FireEye, A security research firm, will be discussing Android security flaws in the way the it handles transport of biometric data from the reader to the secure zone.
The RSA conference is an annual event held in San Francisco California, based on cryptography and information security related issues in computer systems and databases. Topics discussed at this conference range from cloud security, cryptography and hackers and threats to mobile security, trends and technology infrastructure.
They will be specifically addressing how a compromised mobile handset can allow the data from the fingerprint scanner to be intercepted before it gets to the protected zone and encrypted. This exploit the affects the Samsung galaxy S5 and other unnamed android devices.
Google stated the flaw was patched in android 5.0, but considering that less than 4% of android devices are on android lollipop, the threat remains real. Another issue that exacerbates this security exploit is Googles past performance in patching other remote system vulnerabilities like the one that currently exists in UiWebView. An estimated 700 mill ion Android users world-wide remain vulnerable to a remote attack exploit that exists when applications or web-app environments call a browser popup in the UI of the application, rather than an external browser session. Google has stated that this flaw will not be patched due to the level of effort required to research it.
In the current Android biometric security flaw, a remote attacker would not have to break the encryption inside the trusted zone to gain access to the data points. A vector for intercept exists between the biometric scanner and the trusted zone.
Overshadowing the security flaw, is the access level required to perform the operation. Malware with system-level access (comparable to level of security access granted to a user for database operations)
If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint, you can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.
-Yulong Zhang FireEye Secutiry Analyst (via Forbes)
Forbes also reports that Zhang contacted Samsung about the issue but has not heard back.
It’s interesting to keep in mind that FireEye and Samsung have collaborated on Enterprise level projects for BYOD environments. FireEye has a virtual machine security threat scanner that inspects enterprise applications before they can be installed on Samsung Knox enabled devices, and to do that Samsung would have to allow FireEye access to that API.