HTC phone stores fingerprints in easily accessible plaintext
Pressing a finger on your mobile phone’s fingerprint scanner has to be the easiest, most seamless way to unlock the device, and this is why more and more manufacturers equip their mobile products with it. In fact, it is predicted that by 2019, 50% of all shipped smartphone will have a fingerprint sensor.
But there is a downside to authentication via fingerprint: unlike passwords, fingerprints can’t be changed, and once compromised, they remain compromised forever.
You would think that, because of this fact, anyone involved in implementing this kind of authentication would be extra careful to make sure that this information doesn’t fall into the wrong hands. Unfortunately, that’s not the case.
FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei have decided to see how secure this information is on several Android devices and when handled by several authentication and authorization frameworks, and the results of their research are scary.
They found that it’s possible to mislead the victim to authorize a malicious transaction by disguising it as an authentication or another transaction, and that attackers can stealthily embed prefabricated fingerprints in the devices as an authorization backdoor, before providing a new device to the victim.
They also discovered vulnerabilities in the way devices store the fingerprints.
“While some vendors claimed that they store user’s fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world-readable place by mistake,” the researchers explained to the audience at Black Hat USA 2015.
“One example is HTC One Max – the fingerprint is saved as /data/dbgraw.bmp with 0666 permission (world-readable). Any unprivileged processes or apps can steal user’s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage to peek into the secret world.”
Finally, they found that the fingerprint sensor in many devices is also exposed to the attackers, as they are rarely enclosed in the TrustZone.
There’s not much users can do against these types of attacks – it’s the mobile device vendors that have to react and improve the security design of the auth frameworks (the researchers have offered some suggestions).
Slides from the presentation with examples of attacks are available here.