Security researchers have highlighted what they called “severe” security bugs in the way fingerprint scanners are implemented in smartphones, finding that fingerprint images on one device were stored in an easily readable format in a folder accessible to any user.
Speaking at the Black Hat conference in Las Vegas, researchers from FireEye said the HTC One Max handset mistakenly stored fingerprint images in plaintext in a publicly accessible place – the images were stored in the path /data/dbgraw.bmp with world-readable permissions, they said.
HTC fixed the bug following a notification from FireEye, according to the researchers, but due to sluggish update systems in the smartphone world the patch may take some time to reach end-user devices.
Researchers Yulong Zhang and Tao Wei also also highlighted several other vulnerabilities, including ones that could allow attackers to trick users into authorising a payment via their fingerprint or to gain access to the fingerprint scanner itself, allowing them to intercept scans. At the conference, they demonstrated techniques including hijacking a fingerprint-protected mobile payment and collecting fingerprints from popular mobile devices.
They said threats to fingeprint-scan security are increasingly dangerous due to their use in identity protection and, increasingly, to authorise payments in systems such as Apple Pay. They noted that half of smartphones are expected to ship with fingerprint scanners by 2019.
“Fingerprints last for a life – once leaked, they are leaked for the rest of your life,” they wrote in a research paper released with the talk. “Moreover, fingerprints are usually associated with every citizen’s identity, immigration record, etc. It would be a hazard if an attacker could remotely harvest fingerprints on a large scale.”
FireEye found that most smartphone manufacturers failed to use the TrustZone security architecture built into mobile ARM processors properly to lock down fingerprint scanners, meaning the scanners were left accessible to malicious programs.
This vulnerability means that an attacker who successfully implanted a malicious program onto a handset could intercept fingerprint scans every time the scanner was used, FireEye said.
“Attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim’s fingers,” the researchers wrote. “Attackers with remote code execution exploits can remotely harvest…fingerprints on a large scale, without being noticed.”
In another attack, a malicious program could fool a user into thinking an authentication action was being performed, when in fact the program was carrying out an authorisation, such as authorising a payment. For instance, they said an attacker could create a fake lock screen which, when the user’s fingerprint was scanned, would authorise a malicious transaction.
This “confused authorisation attack” is made possible because many fingerprint security systems don’t provide proof of the context in which the scan was carried out, FireEye said.
“Without proper context proof, the attacker can mislead the victim to authorise a malicious transaction by disguising it as an authentication or another transaction,” the researchers wrote.
TrustZone can be used to provide context proof, but as of June no major vendor has implemented this feature, according to FireEye.
The company recommended individual users keep their handsets up to date with the latest patches, and said governments and enterprises should make use of third-party security services to ensure they’re protected from such threats.
FireEye researchers Zhaofeng Chen and Hui Xue also collaborated on the research.
Are you a security pro? Try our quiz!
AI push sees Alphabet's Google saying it will consolidate its AI teams in its Research…
Beijing orders Apple to pull Meta's WhatsApp and Threads from its Chinese App Store over…
Key milestone sees Intel Foundry assemble ASML's new “High NA EUV” lithography tool, to begin…
Oracle's huge AI, Cloud investment in Japan will meet growing local demand and address digital…
People who create sexually explicit ‘deepfakes’ of adults will face prosecution under a new law…
Protest at cloud contract with Israel results in staff firings, in addition to layoffs of…
View Comments
Our client BIO-key International (www.bio-key.com) $BKYI is very aware of these security vulnerabilities & its robust fingerprint biometric algorithms and cloud authentication (secure transport) technologies alleviate this vulnerability
The rapidly expanding deployment of user friendly fingerprint biometrics on smart phones provides value and introduces the biometric concept - but device-based authentication does not provide the level of security that most enterprise applications will require. This provides the opportunity for stronger solutions and/or the combination of device-based authentication as well as cloud based authentication and matching against a known database of authorized records to deliver the security functionality that will meet the needs of a broader base of app,locations.