You’re concerned about security, so when your Android smartphone gives you the option of scanning your fingerprint to unlock the device, open certain apps, or authorise a money transfer, you turn it on.
Well, maybe you shouldn’t if you’re the owner of an HTC One Max Android phone. Because security researchers have revealed that the so-called smartphone stores an image of users’ fingerprints without a seeming care in the world about security:
“The fingerprint is saved as /data/dbgraw.bmp with ‘0666’ permission (world-readable). Any unprivileged processes or apps can steal users fingerprints by reading this file.”
It would be bad enough that the file containing the fingerprint image is so easy to access, rather than stored in a more secure part of the system, but it is also – get this – unencrypted too. Sigh…
What’s more, any malicious app running on your HTC One Mac Android phone could also be scooping up your fingerprint each and every time you use it:
“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”
It’s a shame that the promotional video for the HTC Max One doesn’t mention this particular undocumented feature of the fingerprint scan:
Still happy that you enabled fingerprint scanning in that app you use to transfer money from your bank account?
The research – by Yulong Zhang, Zhaofeng Chen, Hui Xue, and’Tao’Wei of FireEye Labs – was presented at the BlackHat conference last week. You can read the full report here.
If we can’t trust the manufacturers of the computers that we put in our pockets and carry around with us all day, every day, to take security more seriously than this – what on earth are the chances that the internet of things will ever be safe?
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “It’s easy to steal fingerprints from users of the HTC One Max Android phone”
"The fingerprint is saved as /data/dbgraw.bmp with '0666' permission (world-readable). Any unprivileged processes or apps can steal users fingerprints by reading this file."
This is just as bad as people (e.g. 'helpers' and whatever else they would like to believe themselves) telling someone to test write permissions on a file (or directory) by making it 0777 (world read, write, execute) … you'll change it back so it is OK. Except it isn't OK; it is terrible advice and if you understand (which clearly they don't) how permissions work, you would understand just how overkill (and brain dead) it is. They'll even suggest this when permissions are perfectly fine, as if they want to prove it is the one asking for help, that is at fault. Maybe they did do something wrong but they should show it in a helpful way. 0666 access is irresponsible for something like this even if encrypted (which it seems it isn't, which is worse).
"what on earth are the chances that the internet of things will ever be safe?"
Alas, we both know the IoT will never be safe. Recent weeks alone show this but yet that isn't anything new. But tell that to the masses; all they can think about is smart technology, when yet the definition of 'smart' (in relation to technology) tells otherwise.
Is anyone else worried about the security and privacy implications of the rise in the use of biometric authentication?
In the example above, the phone's designers make the assumption that a real finger is required for successful log-on. But the story above of police copying a fingerprint isn't the first time this has been done – a number of similar schemes have been successfully demonstrated defeating fingerprint readers. And, crucially, once your fingerprint has been stolen and copied, YOU CAN'T CHANGE IT – ever! That gives a whole new, frightening meaning to the term 'identity theft'.
At their most basic, encryption systems rely on having an algorithm – the methodology by which the data is encrypted (like the workings of a particular model of lock on your door), and a changeable key – a unique 'tweak' to the algorithm (like the key to that lock). The security of the system depends on the combination of algorithm and key. Normally, it's accepted that ultimately the algorithm will become public (even if it starts off secret), and therefore the security lies principally with the key. If the key is stolen or discovered, then anything protected by it is compromised, but at least you can change it and the security of the system going forwards remains protected.
As I see it, in biometric authentication systems, the 'algorithm' is the knowledge of how to read a fingerprint (or whatever) – and in the case of an attacker, copy it successfully and economically, and the 'key' is the individual fingerprint (or whatever). But we leave fingerprints everywhere, so the key is not secure. And IT'S NOT CHANGEABLE! That puts ALL the security back with the algorithm – i.e., the security of the system depends entirely on the hardware difficulty of creating a working copy fingerprint. And it's already been done – the only step remaining being how to do it reliably, quickly and cheaply.
The same argument can be used with any biometric authentication system – basically, I believe if it can be read, then (ultimately) it can be copied. I'd be really pleased if someone could convince me I'm talking nonsense, but I don't think I am. And, for the moment, the day my bank requires me to submit a fingerprint to log on will be the day I change bank.