Slashdot Mirror
HTC Doesn't Protect Fingerprint Data
An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.
I know that it's all the rage to crap on Apple, but compare this "approach" to security vs Apple's approach ...
https://www.apple.com/business...
Apple isn't perfect by any means but at least they put the time and energy into actually trying to do the right things. They make mistakes - like everyone else - but at least there's some forethought.
Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
Not all of them.
For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.
Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.
Easier and cheaper to just to apply blowtorches and pliers to the actual fingerprint-holder, as per the obligatory XKCD 'toon.