A serious security flaw was recently discovered by researchers from security firm FireEye. The vulnerability was presented at the RSA Conference and entails hackers getting biometric information from the smartphone before being encrypted by the device.
Biometric information, like fingerprints, analysis is one of the new feature of Samsung's newest flagship smartphone. However, this leaves an open vulnerability wherein hackers can intercept the information before arriving at the phone's encryption level.
According to the presentation from FireEye, acquisition of fingerprint data is very straightforward and once intercepted hacker can use it for future attacks.
"If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time." FireEye security researcher Yulong Zhang told Forbes. "Every time you touch the fingerprint sensor, the attacker can steal your fingerprint."
Zhang added that once fingerprint data are stolen, attackers can do whatever they want with it.
According to Gizmondo, the vulnerability can only be exploited with devices running on Android 4.4 Kitkat or lower. Newer versions of the Android operating system, Android 5.0 Lollipop, is safe from the reported security flaw. Users of older Android OS are encouraged to update their phones as soon as possible to avoid hackers from exploiting the flaw.
Zhang along with his fellow security researcher at FireEye, Tao Wei, has already reported the security flaw to Samsung but the South Korea-based company has yet to issue updates in order to patch the problem.