The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here's a great example.
Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.
A close reading of the article reveals that earlier releases of Google's version of the Android mobile OS weren't as secure as they are now. This will come as news to few. The article points out that, "Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset's built-in sensors, including the fingerprint scanner."
Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it's their outfit; it's their call.
For readers here, instead of "OMG fingerprinst[!]," I'd emphasize that:
Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.
Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past "hacks" of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here's a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn't a hack in any real sense — it's a malware test.
That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn't encrypted (with a strong key).
So, without more information, it's hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device's software up to date, and be careful about malware.
As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.
See: The Con is Mightier than the Hack
