HTC system flaw left user fingerprints open to hackers
Researchers from FireEye Labs discovered the vulnerability (PDF) in HTC's One Max smartphone. “One example is HTC One Max—the fingerprint is saved as /data/dbgraw.bmp with 0666 permission (world-readable). Any unprivileged processes or apps can steal user's fingerprints by reading this file,” they said.
They went on to say,
To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.
Instead of using a protected system that keeps fingerprint data locked away from the rest of the smartphone—like Apple's Secure Enclave or ARM's TrustZone—HTC tossed its user's fingerprints in with the rest of the data on the phone.
The iPhone's TouchID sensor, for example, scans and then stores user's fingerprints in the Secure Enclave. The prints are converted to digital algorithms instead of images, and apps never have direct access to them. Instead, apps that use TouchID for authentication can ask iOS to verify fingerprints, but don't actually get direct access to any data or the scanning process.
HTC says its problem wasn't supposed to happen and they have a fix for the security flaw. The company also said only the only phone with the issue is the One Max.
Still, the fact that this is an issus at all calls into question HTCs dedication to customer security and data privacy. It also implies HTC stores scanned fingerprints as images instead of in a format that isn t usable should the systems secure storage component be compromised.
HTC isn't the only Android-based smartphone maker that could be leaving user's biometric data (in this case, fingerprints) exposed to potential hackers.
“We found that the fingerprint sensor itself in many devices is still exposed to the attackers,” FireEye's researchers said. “Although the ARM architecture enables isolating critical peripherals from being accessed outside TrustZone (e.g. by programming the TrustZone Protection Controller), most vendors fail to utilize this feature to protect fingerprint sensors.”
In other words, just because an Android smartphone maker says they're using a secure system for storing biometric data, that doens't mean your fingerprints really are protected. That's bad news since fingerprints are becoming more popular as an authentication system instead of passwords. You can change passwords, but your fingerprints are forever.
For now, it looks like iPhone owners are safe, but that doens't mean hackers won't find a way to exploit the Secure Enclave. As always, the best course for end users is constant vigilance, and don't install mobile apps from untrusted sources.