Fingerprint readers are considered a more secure and convenient way of keeping your smartphone safe – but security researchers have discovered that one handset has been saving fingerprints scans as unencrypted image files that can be read and stolen by any application. The flaw affects the HTC One Max and was revealed at the Black Hat security conference in Las Vegas.
The fingerprint scan is saved as an unencrypted image file, which can be seen and stolen by any application that knows where to look for it. Co-authored by Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei of FireEye Labs, the report's findings state: "While some vendors claimed that they store users' fingerprints encrypted in a system partition, they put users' fingerprints in plaintext and in a world-readable place by mistake."
As well as unlocking the phone in place of entering a PIN or password, the fingerprint scanner can also be used to authorise payments and money transfers through PayPal. Although the One Max is named specifically, the security researchers claim "most vendors fail to lock down the [fingerprint] sensor. Without the proper lock down, an attacker... can directly read the fingerprint sensor."
FireEye said this flaw, where the fingerprint reader could be monitored as it is used (but stored prints could not be accessed) was found on both the One Max and the Samsung Galaxy S5. It has since been patched, following the manufacturers being alerted by FireEye.
'To make the situation even worse...'
The report continues: "To make the situation even worse, each time the fingerprint sensor is used for [authentication] operating, the auth framework will refresh that fingerprint bitmap [image] to reflect the latest swiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim."
Computer security researcher Graham Cluley blogged about the discovery: "If we can't trust the manufacturers of the computers that we put in our pockets and carry around with us all day, every day, to take security more seriously than this – what on earth are the chances that the internet of things will ever be safe?"
FireEye says HTC issued a software update to fix the vulnerability after being alerted to it.
Although the immediate danger is for smartphones and payments processed through them to be compromised, the theft of a person's fingerprint has wider-ranging consequences, as prints are increasingly used to form biometric data in passports and at border control. Unlike a password, a fingerprint cannot be changed when it is stolen or copied.
As the researchers say: "Victims can easily replace the stolen passwords with a new one. But fingerprints last for a life – once leaked, they are leaked for the rest of your life."