FireEye researchers have discovered a flaw in the HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in an open “world readable” folder.
“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says.
There are four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered.
One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.
“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team says.
“So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”
Even worse: kernel access permissions often only restrict to root privilege, not system, meaning modified or ‘rooted’ Android devices are at risk even if those protections are applied.
The team says attackers with some remote code execution exploits in hand can harvest these fingerprints en masse.
Attackers could in a probably less likely scenario add their fingerprints to a device which they have physical access to by uploading a print image. A disconnect between the number of authorized prints and actual authorized prints means the uploaded biometric could be seen as a “backdoor”, the team says.
The best solution? Stop giving your fingerprints away dummy…unless you enjoy being framed for crimes or something like that.
Want to know what is more secure and even more convenient?
It’s called picture password. Available now on BlackBerry 10. Instead of sliding your finger, how about just sliding a number that only you know, to a location on a photo that only you know. No biometric data needed or stored.
Get a BlackBerry. Sleep well at night.