Android Fingerprint Sensor Flaw Could Open Up Enterprises To Security Risks

 

Security is uppermost in the minds of IT managers when considering whether to allow BYOD. The recent slate of Android vulnerabilities uncovered by security researchers is certain to unnerve many IT folks.

The latest Android flaw uncovered involves the fingerprint sensor on Android phones, which could provide hackers the ability to steal the user's fingerprints.

FireEye researchers Yulong Zhang and Tao Wei gave a presentation at the BlackHat security conference last week in which they showed how an attacker could gain access to not only the user's fingerprint but to anyone who scanned their fingerprints using the compromised sensor. And once the hackers steal the fingerprint, they can abuse it for the rest of the victim's life.

Fingerprint sensors on mobile devices are being used to secure everything from access to banking accounts to corporate data. So a compromised sensor could pose significant security risks for organizations, particularly those that allow employees to bring their own devices.

The researchers warned that the flaw in the fingerprint sensor could enable attackers to "remotely harvest fingerprints on a large scale," according to a paper they prepared based on their work.

The FireEye researchers recommended that Android users "choose mobile device vendors with timely patching/upgrading to the latest version (e.g., Android Lollipop)…and install popular apps from reliable sources."

Facing Stagefright, Google, Samsung, LG all commit to pushing monthly security patches for Android devices

Following the revelation of Android-focused malware Stagefright, Google is working to push monthly security fixes to its millions of mobile users worldwide. Samsung and LG have both committed to streamline that update process to push patches to their Android devices.

The complicated Android ecosystem, where mobile operators and handset makers serve as gatekeepers to software updates, has traditionally made it difficult for Google to push out any kind of update to all end users. Having Samsung and LG on board with the new monthly fix plan helps but doesn't entirely solve the problem. 

The newfound MMS-based attack put an estimated 950 million Android devices at risk, according to Joshua Drake, Zimperium VP of platform research and exploitation. The exploit has likely done no favors for the unsecure perception of Android in the enterprise, an image Google has been trying to shed.

The first of those patches went out Wednesday to Google devices to shore up the flaw that Stagefright exploited. While the blog post points to Google pushing over-the-air updates to only its own branded devices, statements from OEMs show they will try to institute those updates as soon as they can, carriers permitting.

In an email statement, Google did not make clear how all OEMs would handle the updates. However, Samsung and LG made their own statements that showed their intentions to set up systems to fix security flaws as soon as possible.

Samsung, whose devices make up 37.8 percent of the entire Android market share, fast tracked the Stagefright security updates to its Galaxy devices and will build on that incident to optimize future monthly processes.

In a similar move, LG will push the Stagefright updates to all of its in-market devices susceptible to the attack and set up its own monthly fixes for Android.

All said, much of the onus for providing security fixes will fall on the carriers for whom the OEMs supply phones. LG and Samsung said they are both working with carriers to push updates as quickly as possible.

If anything, Android's fractured OS ecosystem could use a bit of top-down unification. Whether that crystallizes around security, and whether Google and its OEM partners can figure out a way to seamlessly do it, remains to be seen.