HTC fingerprint scanner weakness exposed, as security files stored in an unencrypted folder

While recent smartphones have opted for deeper fingerprint security options, researchers have found fatal flaws in file structures behind the sensors included on Android devices that were early adopters of the technology

Click to follow
The Independent Tech

Researchers have shown how weak security in major Android phones could let them steal fingerprints and then people's most personal information.

While Samsung’s Galaxy S5 was also named in their report it was HTC’s One Max – a 5.9 inch display phablet released in 2013 – that came under the most scrutiny.

The report claims that an exact replica of the user’s fingerprint scan was stored as a plaintext .bmp file on the One Max and was contained within a “world-readable” folder.  Rather than being just a static file, the image was also reported to refresh any time the phone’s user swiped on the One Max’s rear sensor meaning that hackers could “sit in the background and collect the fingerprint image of every swipe of the victim.”

Speculating on how this would benefit hackers, the FireEye researchers describe how malicious malware could use these files to remotely access and harvest data stored within the phone.

They also note the wider implication that thefts of fingerprint scans could incur that does not arise from traditional security measures on mobile devices, as while passwords can be altered “fingerprints last for a life.”

While confirming that these security vulnerabilities have since been patched by the Taiwanese manufacturer, the report encourages prospective and upgrading Android users to “choose mobile device vendors with timely patching/upgrading to the latest version… and always keep your device up to date.”

The researchers presented their findings at last week’s Black Hat conference where it was also revealed that hackers have managed to remotely take over a Tesla car and where the full extent of the “Stagefright” Android bug was made public.

Comments