A simple yet critical flaw in an older version of Google’s Android operating system could allow hackers to steal fingerprint copies, security experts say. The flaw mean that hackers can intercept and steal Samsung S5 owners’ biometric data which can lead to potential cybercrimes.

Fingerprint scanners are often heralded as the future of consumer security and an alternative to the notoriously flawed and breakable password.

The fingerprint vulnerability

However, experts have discovered that fingerprint scanners may not be as secure as first imagined, after claiming that the popular Android phone – Samsung Galaxy S5, as well as other Android devices, were said to be ‘leaking’ fingerprints of its users. This leads to loss of user privacy, as well as contributing to identity theft.

While the fingerprints are routed to a ‘secure zone’, researchers from FireEye say that the attackers can intercept the data and scans before they can get there. Due to this, it is claimed that the fingerprints can be reconstructed and used elsewhere.

“If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Yulong Zhang from FireEye told FORBES. “You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”

Quite simply, the researchers have found a way to intercept a user’s biometric data after it is captured by the built-in scanner but critically, before it becomes encrypted.

The researchers assessed that the flaw lies primarily in older versions of the Android operating system up to and including Android 4.4 (KitKat). Subsequently, anyone running Android 5.0 and above are not at risk and researchers at FireEye are advising people on previous versions of Android to update as soon as possible.

The hack

The vulnerability here is that a hacker can access the kernel (the core), of the Android operating system. Once inside, they have the means to monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner. Here is how the hack unfolds:

Usually, when a fingerprint is scanned it is encrypted and separated from the rest of the device in a secure folder. Hackers would have a hard time getting access to this folder even with access to the kernel, but they can collect fingerprint scans from the sensor, before reaching the folder. Before being encrypted.

In acquiring the fingerprints now, a hacker can not only use them to access the phone, they can also for example, be used to make payments with PayPal.

The Samsung Galaxy S5 is the only smartphone specifically named by the firm. However, it added: “We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure.”

The South Korean giant has responded told Forbes that it “takes consumer privacy and data security very seriously, [and is] currently investigating FireEye’s claims.”