Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTC Doesn't Protect Fingerprint Data

Posted by Soulskill on from the thumbs-down-on-the-scanner dept.

An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.

3 of 66 comments (clear)

  1. That's the great thing about biometrics by metamatic · · Score: 5, Insightful

    All the affected people have to do is change their fingerprints.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  2. Re:Now compare this to Apple's approach by nbvb · · Score: 3, Insightful

    The difference between making a piece of hardware and making the whole widget.

    I'll leave it as an exercise to the reader to identify which approach I prefer.

  3. Re:Don't use this stuff ... by Dixie_Flatline · · Score: 4, Insightful

    I haven't heard of anyone cracking it yet, and that's the sort of thing you'd hear about immediately if it happened. Breaking into an Apple device comes with a lot of press and noise. It's something we'd all know about if it'd happened. We immediately heard about how the security of the device was 'compromised' if you had access to a lab, a really incredibly clear picture of a finger print, and more time on your hands than your average criminal would be willing to expend.

    Based on that, I feel reasonably confident that there's been no breach of security of the secure enclave.

    But even if there were, this theoretical setup of Apple's is an indication that someone that thinks about security was involved in the development. There's no image. There's not really even useful data being stored, per se. You put your finger on the sensor and it creates a cryptographic hash from your fingerprint data, and every time you want to unlock the phone, it goes through the process again and compares it against the data it has stored. It's not even clear to me that if you had what was in the enclave that you could unlock the phone with it. (Someone that understands the tech better than me can correct me.)