HTC One Max Stores Fingerprint Data As World Readable Plaintext
Fingerprint sensors are the next big thing in the mobile smartphone world these days. Nearly every top tier device comes with biometric recognition on board, with the likes of Apple, Samsung, HTC, Huawei already in the race and even Sony expected to enter it soon. But while unlocking your device with the swipe of a finger might be very convenient, its also very risky in terms of security if not stored correctly on your device. Folks over at FireEye have been checking fingerprint security over the past couple days and the results might surprise you.
HTC’s Devices Store Your Fingerprint Data As Easily Accessible Plaintext
FireEye solutions’ Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei decided to take a look at how secure devices in the Android world are when it comes to storing your fingerprints, and the results are not very rosy at all. What they’ve discovered is that not only can your prints be easily accessed in some devices, but attackers can also trick users into authenticating ill-intent transactions by disguising them as real ones.
In addition, its also very much possible to embed fabricated fingerprints on devices as authentication backdoors, making things a lot more insecure. And that’s all if the attacker just hasn’t lifted your fingerprint off of the device already. According to folks over at FireEye, instead of encrypting fingerprint data and storing it in a separate partition, manufacturer’s simply store them as world readable plain text.
According to them: “One example is HTC One Max – the fingerprint is saved as /data/dbgraw.bmp with 0666 permission (world-readable). Any unprivileged processes or apps can steal user’s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage to peek into the secret world.”
Launched in 2013, the HTC One Max is one of the older fingerprint sensor devices out their, and HTC storing users’ confidential data on devices in such a manner is very careless by the company indeed. While the researchers haven’t gotten into any other devices made by the manufacturer, it does cast a serious doubt on all of HTC made devices out there. We’ve contacted HTC for comments and will let you know as soon as they reply. Stay tuned and let us know what you think in the comments section below.