Attackers can hijack fingerprint-protected transactions and harvest fingerprints from mobile devices, according to FireEye
Security researchers have highlighted what they called “severe” security bugs in the way fingerprint scanners are implemented in smartphones, finding that fingerprint images on one device were stored in an easily readable format in a folder accessible to any user.
Speaking at the Black Hat conference in Las Vegas, researchers from FireEye said the HTC One Max handset mistakenly stored fingerprint images in plaintext in a publicly accessible place – the images were stored in the path /data/dbgraw.bmp with world-readable permissions, they said.
HTC fixed the bug following a notification from FireEye, according to the researchers, but due to sluggish update systems in the smartphone world the patch may take some time to reach end-user devices.
Researchers Yulong Zhang and Tao Wei also also highlighted several other vulnerabilities, including ones that could allow attackers to trick users into authorising a payment via their fingerprint or to gain access to the fingerprint scanner itself, allowing them to intercept scans. At the conference, they demonstrated techniques including hijacking a fingerprint-protected mobile payment and collecting fingerprints from popular mobile devices.
They said threats to fingeprint-scan security are increasingly dangerous due to their use in identity protection and, increasingly, to authorise payments in systems such as Apple Pay. They noted that half of smartphones are expected to ship with fingerprint scanners by 2019.
“Fingerprints last for a life – once leaked, they are leaked for the rest of your life,” they wrote in a research paper released with the talk. “Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if an attacker could remotely harvest fingerprints on a large scale.”
FireEye found that most smartphone manufacturers failed to use the TrustZone security architecture built into mobile ARM processors properly to lock down fingerprint scanners, meaning the scanners were left accessible to malicious programs.
This vulnerability means that an attacker who successfully implanted a malicious program onto a handset could intercept fingerprint scans every time the scanner was used, FireEye said.
“Attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim’s fingers,” the researchers wrote. “Attackers with remote code execution exploits can remotely harvest…fingerprints on a large scale, without being noticed.”
In another attack, a malicious program could fool a user into thinking an authentication action was being performed, when in fact the program was carrying out an authorisation, such as authorising a payment. For instance, they said an attacker could create a fake lock screen which, when the user’s fingerprint was scanned, would authorise a malicious transaction.
This “confused authorisation attack” is made possible because many fingerprint security systems don’t provide proof of the context in which the scan was carried out, FireEye said.
“Without proper context proof, the attacker can mislead the victim to authorise a malicious transaction by disguising it as an authentication or another transaction,” the researchers wrote.
TrustZone can be used to provide context proof, but as of June no major vendor has implemented this feature, according to FireEye.
The company recommended individual users keep their handsets up to date with the latest patches, and said governments and enterprises should make use of third-party security services to ensure they’re protected from such threats.
FireEye researchers Zhaofeng Chen and Hui Xue also collaborated on the research.
Are you a security pro? Try our quiz!