Slashdot Mirror
HTC Doesn't Protect Fingerprint Data
An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.
What a bunch of amateurs. Everyone who's learned a thing or two about graphic file formats knows that PNG is much superior.
Even if we trusted that vendors weren't lazy, incompetent, and indifferent to security (and that is a big if) ... why should we be entrusting them with our biometric data in the first place?
Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
Sorry, but until such time we get to use the CEO as a pinata for bad security, assume there simply is none. Because that's where we're at right now.
With no penalties for crap security, they're not going to implement good security. Stop treating them as if they have.
I'd wager that if you bought 20 products which claim to have security features, likely all 20 of them are easily defeated or bordering on non-existent in terms of actual security.
Lost at C:>. Found at C.
All the affected people have to do is change their fingerprints.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
I know that it's all the rage to crap on Apple, but compare this "approach" to security vs Apple's approach ...
https://www.apple.com/business...
Apple isn't perfect by any means but at least they put the time and energy into actually trying to do the right things. They make mistakes - like everyone else - but at least there's some forethought.
Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .
Fingerprints are not usernames nor are they passwords. Security comes from having Things-You-Are, Things-You-Have, and Things-You-Know. Good security typically involves at least two of those Things if not all three. No security is unbreakable. Both usernames and passwords fall into the Things-You-Know which is why they are relatively easy to crack. This is why two factor authentication is a good idea because it generally relies on both a Thing-You-Know and a Thing-You-Have. Fingerprints are a Thing-You-Are though if not secured can become a Thing-You-Know/Have. At times they can be used like a username or a password but they are not the same thing and assuming they are the same thing is generally a mistake.
The biggest problem with Things-You-Are is also the biggest strength. Things-You-Are are generally the hardest to forge or circumvent but when they are they cannot be changed unlike Things-You-Have or Things-You-Know. So you don't want to use Things-You-Are too much.
Wonder what the patch is:
The ideal would be to not use a bitmap, but store some type of hash with a salt, as well as a part of the hashed value coming from a secure key store, for example sha3 (regular_nonce + fingerprint bitmap + nonce_stashed_in_secure_storage) . This means that if the hash was pulled off the phone, there is no way that it would be usable on other media.
If the bitmap -had- to be decrypted, again, it should be either encrypted and the key stashed in a protected part of the system, or at the minimum, encrypted by the user's PIN/password that is used when the device is first unlocked after a reboot.
I think there's a fundamental misunderstanding of biometrics and biometric security that is prevalent throughout much of the industry, and it's often expressed as "biometrics are identifiers, not passwords!", though usually with more exclamation points, or the verbal equivalent, except when the even more foolish version "biometrics are passwords" is used.
These statements are wrong. Biometrics are not identifiers. They're lousy identifiers, actually, since identifiers need to be unique and consistent, while biometrics aren't either. Biometrics are also not passwords. Passwords rely on secrecy and need to be rotated. Biometrics are not secret and cannot be rotated.
But, if biometrics don't fit into either of these buckets we're accustomed to, if they're not usernames and not passwords doesn't that mean they're useless? No, it does not.
Biometrics are authenticators. Passwords are also authenticators, but they operate on different principles, validating information that is expected to be a secret. Biometrics attempt to validate the presence of a physical body that is the one expected. What's funny about this to me is that humans, in general, are extremely comfortable with biometric identification and authentication because it's the way we identify and authenticate everyone around us all the time. But we've trained ourselves to think differently about these issues in the context of computer security. (Note that personal identification is considered the best form of authentication in physical security systems as well... the biometric auth systems built into our heads are extremely hard to fool at close range with more than a few seconds' interaction).
Biometric authentication provides security without relying on the secrecy of your fingerprints, because they aren't. You leave them everywhere you go all over everything you touch. Including, by the way, your phone. They provide security because it is supposed to be hard for anyone else to use your fingerprints, even if they know exactly what they look like, to unlock your phone. That is, the security comes from the meat/sensor interface, not from the content of the data delivered via that interface.
This fact points out some rather obvious potential exploits. Since making gummy fingers isn't particularly hard, and since phone sensors aren't very good at distinguishing between real fingers and fake fingers, the security level isn't very high against an attacker who is willing to go to the effort of lifting a print and making a fake finger. It's also not good against an attacker willing to crack the phone open and replay image data directly to the system, bypassing the sensor.
Fingerprints provide a very different security model than passwords. They're stronger against casual attackers (can't be shoulder surfed; often hard to phish), but potentially weaker against more sophisticated attackers, and don't rely on secrecy.
With this proper contextualization, it's clear that the "attacks" referenced in the article are non-issues. Leaking your fingerprints isn't a security problem, it's a privacy problem. Fingerprints are like any other PII (personally-identifiable information) on your phone. The device should secure PII against remote extraction, and should make it reasonably hard for local attackers to get. But when the attack begins with, step 1, "root the device", I just tune out, because of all of the PII on my phone, my fingerprints are among the least important.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.