HTC fingerprint scanner weakness exposed, as security files stored in an unencrypted folder

While recent smartphones have opted for deeper fingerprint security options, researchers have found fatal flaws in file structures behind the sensors included on Android devices that were early adopters of the technology

Oliver Cragg
Monday 10 August 2015 17:39
Comments

Researchers have shown how weak security in major Android phones could let them steal fingerprints and then people's most personal information.

While Samsung’s Galaxy S5 was also named in their report it was HTC’s One Max – a 5.9 inch display phablet released in 2013 – that came under the most scrutiny.

The report claims that an exact replica of the user’s fingerprint scan was stored as a plaintext .bmp file on the One Max and was contained within a “world-readable” folder. Rather than being just a static file, the image was also reported to refresh any time the phone’s user swiped on the One Max’s rear sensor meaning that hackers could “sit in the background and collect the fingerprint image of every swipe of the victim.”

Speculating on how this would benefit hackers, the FireEye researchers describe how malicious malware could use these files to remotely access and harvest data stored within the phone.

They also note the wider implication that thefts of fingerprint scans could incur that does not arise from traditional security measures on mobile devices, as while passwords can be altered “fingerprints last for a life.”

While confirming that these security vulnerabilities have since been patched by the Taiwanese manufacturer, the report encourages prospective and upgrading Android users to “choose mobile device vendors with timely patching/upgrading to the latest version… and always keep your device up to date.”

The researchers presented their findings at last week’s Black Hat conference where it was also revealed that hackers have managed to remotely take over a Tesla car and where the full extent of the “Stagefright” Android bug was made public.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in