Categories: MobilitySecurity

Researchers Detail ‘Severe’ Mobile Fingerprint Flaws

Security researchers have highlighted what they called “severe” security bugs in the way fingerprint scanners are implemented in smartphones, finding that fingerprint images on one device were stored in an easily readable format in a folder accessible to any user.

Speaking at the Black Hat conference in Las Vegas, researchers from FireEye said the HTC One Max handset mistakenly stored fingerprint images in plaintext in a publicly accessible place – the images were stored in the path /data/dbgraw.bmp with world-readable permissions, they said.

HTC fixed the bug following a notification from FireEye, according to the researchers, but due to sluggish update systems in the smartphone world the patch may take some time to reach end-user devices.

Researchers Yulong Zhang and Tao Wei also also highlighted several other vulnerabilities, including ones that could allow attackers to trick users into authorising a payment via their fingerprint or to gain access to the fingerprint scanner itself, allowing them to intercept scans. At the conference, they demonstrated techniques including hijacking a fingerprint-protected mobile payment and collecting fingerprints from popular mobile devices.

They said threats to fingeprint-scan security are increasingly dangerous due to their use in identity protection and, increasingly, to authorise payments in systems such as Apple Pay. They noted that half of smartphones are expected to ship with fingerprint scanners by 2019.

“Fingerprints last for a life – once leaked, they are leaked for the rest of your life,” they wrote in a research paper released with the talk. “Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if an attacker could remotely harvest fingerprints on a large scale.”

Security glitches

FireEye found that most smartphone manufacturers failed to use the TrustZone security architecture built into mobile ARM processors properly to lock down fingerprint scanners, meaning the scanners were left accessible to malicious programs.

This vulnerability means that an attacker who successfully implanted a malicious program onto a handset could intercept fingerprint scans every time the scanner was used, FireEye said.

“Attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim’s fingers,” the researchers wrote. “Attackers with remote code execution exploits can remotely harvest…fingerprints on a large scale, without being noticed.”

Context confusion

In another attack, a malicious program could fool a user into thinking an authentication action was being performed, when in fact the program was carrying out an authorisation, such as authorising a payment. For instance, they said an attacker could create a fake lock screen which, when the user’s fingerprint was scanned, would authorise a malicious transaction.

This “confused authorisation attack” is made possible because many fingerprint security systems don’t provide proof of the context in which the scan was carried out, FireEye said.

“Without proper context proof, the attacker can mislead the victim to authorise a malicious transaction by disguising it as an authentication or another transaction,” the researchers wrote.

TrustZone can be used to provide context proof, but as of June no major vendor has implemented this feature, according to FireEye.

The company recommended individual users keep their handsets up to date with the latest patches, and said governments and enterprises should make use of third-party security services to ensure they’re protected from such threats.

FireEye researchers Zhaofeng Chen and Hui Xue also collaborated on the research.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • Our client BIO-key International (www.bio-key.com) $BKYI is very aware of these security vulnerabilities & its robust fingerprint biometric algorithms and cloud authentication (secure transport) technologies alleviate this vulnerability

    The rapidly expanding deployment of user friendly fingerprint biometrics on smart phones provides value and introduces the biometric concept - but device-based authentication does not provide the level of security that most enterprise applications will require. This provides the opportunity for stronger solutions and/or the combination of device-based authentication as well as cloud based authentication and matching against a known database of authorized records to deliver the security functionality that will meet the needs of a broader base of app,locations.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago