Categories: MobilitySecurity

Researchers Detail ‘Severe’ Mobile Fingerprint Flaws

Security researchers have highlighted what they called “severe” security bugs in the way fingerprint scanners are implemented in smartphones, finding that fingerprint images on one device were stored in an easily readable format in a folder accessible to any user.

Speaking at the Black Hat conference in Las Vegas, researchers from FireEye said the HTC One Max handset mistakenly stored fingerprint images in plaintext in a publicly accessible place – the images were stored in the path /data/dbgraw.bmp with world-readable permissions, they said.

HTC fixed the bug following a notification from FireEye, according to the researchers, but due to sluggish update systems in the smartphone world the patch may take some time to reach end-user devices.

Researchers Yulong Zhang and Tao Wei also also highlighted several other vulnerabilities, including ones that could allow attackers to trick users into authorising a payment via their fingerprint or to gain access to the fingerprint scanner itself, allowing them to intercept scans. At the conference, they demonstrated techniques including hijacking a fingerprint-protected mobile payment and collecting fingerprints from popular mobile devices.

They said threats to fingeprint-scan security are increasingly dangerous due to their use in identity protection and, increasingly, to authorise payments in systems such as Apple Pay. They noted that half of smartphones are expected to ship with fingerprint scanners by 2019.

“Fingerprints last for a life – once leaked, they are leaked for the rest of your life,” they wrote in a research paper released with the talk. “Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if an attacker could remotely harvest fingerprints on a large scale.”

Security glitches

FireEye found that most smartphone manufacturers failed to use the TrustZone security architecture built into mobile ARM processors properly to lock down fingerprint scanners, meaning the scanners were left accessible to malicious programs.

This vulnerability means that an attacker who successfully implanted a malicious program onto a handset could intercept fingerprint scans every time the scanner was used, FireEye said.

“Attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim’s fingers,” the researchers wrote. “Attackers with remote code execution exploits can remotely harvest…fingerprints on a large scale, without being noticed.”

Context confusion

In another attack, a malicious program could fool a user into thinking an authentication action was being performed, when in fact the program was carrying out an authorisation, such as authorising a payment. For instance, they said an attacker could create a fake lock screen which, when the user’s fingerprint was scanned, would authorise a malicious transaction.

This “confused authorisation attack” is made possible because many fingerprint security systems don’t provide proof of the context in which the scan was carried out, FireEye said.

“Without proper context proof, the attacker can mislead the victim to authorise a malicious transaction by disguising it as an authentication or another transaction,” the researchers wrote.

TrustZone can be used to provide context proof, but as of June no major vendor has implemented this feature, according to FireEye.

The company recommended individual users keep their handsets up to date with the latest patches, and said governments and enterprises should make use of third-party security services to ensure they’re protected from such threats.

FireEye researchers Zhaofeng Chen and Hui Xue also collaborated on the research.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • Our client BIO-key International (www.bio-key.com) $BKYI is very aware of these security vulnerabilities & its robust fingerprint biometric algorithms and cloud authentication (secure transport) technologies alleviate this vulnerability

    The rapidly expanding deployment of user friendly fingerprint biometrics on smart phones provides value and introduces the biometric concept - but device-based authentication does not provide the level of security that most enterprise applications will require. This provides the opportunity for stronger solutions and/or the combination of device-based authentication as well as cloud based authentication and matching against a known database of authorized records to deliver the security functionality that will meet the needs of a broader base of app,locations.

Recent Posts

Investors Shocked As Temu Parent Misses Estimates

Temu and Pinduoduo parent company PDD Holdings misses analysts' estimates as economic slowdown in China…

16 mins ago

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

4 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

4 days ago