Previous Story
Security issues in some Android handsets leave fingerprints exposed
“Worse, the image files are not stored in any kind of secure partition, and are “world readable”, meaning that, as the FireEye experts put it, “[a]ny unprivileged processes or apps can steal” the user data.
The researchers tested their attack on the HTC One Max and Samsung’s Galaxy S5, the succeeded to steal a fingerprint image from the device due to the lack of a proper implementation of a locking mechanism for the fingerprint sensor.
Biometrics are becoming an increasingly prevalent method of authentication, so a third-party obtaining your fingerprints could be bad news for your privacy.
If a hacker accesses the image file, they can view even tiny changes to the fingerprints.
“Biometric data is personal, it’s an image of my fingerprint”, said Professor Angela Sasse from University College, London.
The researchers, Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei, claim that it is trivial to create a malicious application which sits in the background and steals the data – including capturing every single fingerprint swiped on the device, regardless of whether or not the resulting unlock operating was successful.
The study recommends that mobile device vendors improve the “security design of the fingerprint authorisation framework”.
Analysis reports meanwhile say HTC One M8 will have a glimpse of Sense 7 by the end of the year or early in 2016 since Android M is yet to release this fall according to rumors.
Prof Sasse said storing a fingerprint in an unencrypted format was “like writing your password on a notepad”.
“Moreover fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if the attacker can remotely harvest fingerprints on a large scale”.
Using fingerprints as password could expose a user to security issues.
While confirming that these security vulnerabilities have since been patched by the Taiwanese manufacturer, the report encourages prospective and upgrading Android users to “choose mobile device vendors with timely patching/upgrading to the latest version… and always keep your device up to date”.
The findings of the FireEye study are the most recent setback for Android systems.
V3 contacted HTC and Samsung for comment but neither had replied at the time of publication.
The discovery, presented in a recent paper from security firm FireEye, has raised new concerns about the rapid transition to using fingerprints as a primary form of identification.
