HTC caught red handed storing fingerprints


FireEye researchers have discovered a flaw in the HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in an open “world readable” folder.

“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the team says.

There are four vulnerability scenarios in which biometric data normally secure in an Android phone’s TrustedZone can be pilfered.

One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.


“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team says.

“So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”



Even worse: kernel access permissions often only restrict to root privilege, not system, meaning modified or ‘rooted’ Android devices are at risk even if those protections are applied.

The team says attackers with some remote code execution exploits in hand can harvest these fingerprints en masse.

Attackers could in a probably less likely scenario add their fingerprints to a device which they have physical access to by uploading a print image. A disconnect between the number of authorized prints and actual authorized prints means the uploaded biometric could be seen as a “backdoor”, the team says.

The best solution? Stop giving your fingerprints away dummy…unless you enjoy being framed for crimes or something like that.
Want to know what is more secure and even more convenient?

It’s called picture password. Available now on BlackBerry 10. Instead of sliding your finger, how about just sliding a number that only you know, to a location on a photo that only you know. No biometric data needed or stored.

Get a BlackBerry. Sleep well at night.



I am a long time BlackBerry user and fan. Beginning with the 7520, I have recognized the value of subtle productivity enhancements in BlackBerry devices for business communication and have never since strayed. Even when the iPhone took the market by storm, I was unimpressed, because it did nothing to help my business needs. Currently enjoying my one handed dream phone, the Classic! BB10 with a toolbelt! Today I contribute to UTB whenever I feel that I can help enlighten someone on the benefits of using BlackBerry over any other platform.

  • BB Racer !!

    Totally Catastrophic !

  • Canuckvoip

    I cannot see a situation where my fingerprint is more convenient than other forms of recognition (like your mentioned pic password). It just isn’t as reliable, and of course the downside is potentially tremendous.
    HTC fail!

  • Anyone who honestly believes that these companies that offer a fingerprint scanner aren’t: storing them are completely deluded.

    And besides, Picture Password IS more secure and works much more reliably than this gimmick which has a very dark side indeed.

  • jrohland

    HTC customers should have read my blog post on this very site entitled:

    The [nearly] useless 3rd factor

    • Blackjack

      Beautiful article J.R. I missed it the first time.

  • Schmurf

    I wonder how well our friends at the rotten core fare in terms of safeguarding sheeples’ fingerprints.