Security researchers at FireEye have uncovered a critical weakness in pre-Lollipop versions of Android that exposes fingerprint readers to hackers, essentially letting them record your fingerprint direct from the scanner. The Galaxy S5 was singled out as the most vulnerable device but it is unclear exactly how many other Android devices are affected. The key take away from this revelation is that once your fingerprint has been hacked, it has been hacked for life.
Where the weakness lies
The stronghold built for storing your fingerprints on the device is not the issue: this remains impenetrable to hackers (at least for now). As you may have guessed in this post-Snowden world, the intercept comes before the fingerprint ever gets to the secure storage area.
Hackers need only install a root-level program to read the data direct from the scanner itself. It's the hacker equivalent of taking the money as it makes its way between the armored truck and the bank rather than from the truck or bank itself. As with all secure systems, the most exposed point of any transaction is the most obvious place to launch an attack. As Yulong Zhang from FireEye explained to Forbes:
"If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time. Every time you touch the fingerprint sensor, the attacker can steal your fingerprint. You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want". - Yulong Zhang, FireEye
FireEye tested a variety of Android devices and found the Galaxy S5 to be particularly susceptible, requiring only system-level access for the exploit. Samsung is looking into the claims, but FireEye is quick to acknowledge that the weak point is not present in Android Lollipop, which the Galaxy S5 is currently running. However, other fingerprint scanner-equipped devices that are yet to make the jump to Android Lollipop are still vulnerable.
This is why you should never use a fingerprint scanner
As FireEye notes, if hackers steal your password you can change it, but if they steal your fingerprint it's a problem for life. In a world where fingerprint verification is gaining traction, protecting your fingerprint suddenly becomes the most serious security risk you're ever likely to encounter. FireEye goes so far as to suggest not using fingerprint scanners at all. If you ever needed a reason to make upgrade to Lollipop, this is it.
FireEye will present its findings on the Galaxy S5 and other affected Android devices at the RSA 2015 conference.