Android phones that have biometric sensors are vulnerable to theft.
Fingerprints Stored As Bitmap File
This flaw surfaced when the cyber security and malware protection firm found that One Max stores fingerprints as an image file (dbgraw.bmp) in a “world readable” folder, as reported by The Register.
“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the FireEye Labs says.
The images can also be converted into clear prints by adding some padding, the group added.
The report, which was co-authored by Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei of FireEye Labs, says, “While some vendors claimed that they store users’ fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world-readable place by mistake.”
While the fingerprint scanner is used to unlock the phone, it is also used to authorize payments and money transfers through PayPal. The security firm said that “most vendors fail to lock down the [fingerprint] sensor. Without the proper lock down, an attacker… can directly read the fingerprint sensor.”
Security researcher and ACLU policy analyst Chris Soghoian said that HTC, after failing to “take reasonable steps” to protect several devices against security threats, was issued an order in February 2013 from the Federal Trade Commission to not mislead its customers. The smartphone manufacturer had not provided “adequate security training” to its engineers and did not review its software for flaws.
Following the discovery of the fingerprint security vulnerability, computer security researcher Graham Cluley said, “If we can’t trust the manufacturers of the computers that we put in our pockets and carry around with us all day, every day, to take security more seriously than this – what on earth are the chances that the internet of things will ever be safe?”
Fingerprint Theft Can Have Severe Consequences
After being notified, HTC issued a software update to rectify the flaw.
According to International Business Times, the theft of one’s fingerprint can potentially have severe drastic consequences – for they are used to create biometric data in passports and at border control. After finding out that it has been stolen, fingerprints (unlike a user generate password) cannot be changed.
“One leaked” FireEye says in its report, “they are leaked for the rest of your life.”
You might also be interested in: Delta: Pilot Makes ‘Blind’ Emergency Landing After Hail Damages Windshield