Security research firm FireEye have developed a new spoofing method for acquiring fingerprints from Android smartphone models embedded with biometric sensors such as the Samsung Galaxy S5 and the HTC One Max, according to a report by The Register.
Advertisement
Launched in 2013, the HTC One Max is one of the older fingerprint sensor devices out their, and HTC storing users’ confidential data on devices in such a manner is very careless by the company indeed. Any unprivileged processes or apps can steal the user’s fingerprints by reading this file. “One example is HTC One Max XX the fingerprint is saved as /data/dbgraw.bmp with 0666 permission (worldXreadable)”.
The vulnerabilities, which have now been patched in accordance with the findings of the study, are increasingly relevant as biometric fingerprint authorisation continues to grow in popularity.
They’re also public. You leave fingerprints on, well, nearly everything you touch.
“While some vendors claimed that they store users’ fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world-readable place by mistake”, said the report. FireEye didn’t have any issue reconstructing the specialized file into a scan of the fingerprint.
“In this attack, victims’ fingerprint data directly fall into attacker’s hand”.
Don’t forget that once a hacker has your fingerprint, the hacker has it for life.
What’s more, the fingerprints were stored as high-resolution bitmap images, marking this as a serious security failure. “Without the proper lock down, an attacker… can directly read the fingerprint sensor”.
Talking about other security faults in Android, the researchers said that even if the protection of fingerprint data in a so-called “TrustZone” is indeed trustworthy, it only means that the fingerprints previously registered on the devices are secured. Also, the classic “stay away from unreliable sources” still applies and may keep you away from malicious apps in the long run.
Researchers at FireEye believe that they are the first to discover the flaw, which means the manufacturers should have time to release a patch before hackers begin to exploit it.
Zhang was part of a team that revealed that several Android smartphones from makers including Samsung and HTC featured vulnerabilities that could allow bad guys to steal users’ fingerprints.
Advertisement
V3 contacted HTC and Samsung for comment but neither had replied at the time of publication.
