HTC fingerprint scanner weakness exposed, as security files stored in an unencrypted folder
While recent smartphones have opted for deeper fingerprint security options, researchers have found fatal flaws in file structures behind the sensors included on Android devices that were early adopters of the technology
Sign up to our free weekly IndyTech newsletter delivered straight to your inbox
Sign up to our free IndyTech newsletter
Researchers have shown how weak security in major Android phones could let them steal fingerprints and then people's most personal information.
While Samsung’s Galaxy S5 was also named in their report it was HTC’s One Max – a 5.9 inch display phablet released in 2013 – that came under the most scrutiny.
The report claims that an exact replica of the user’s fingerprint scan was stored as a plaintext .bmp file on the One Max and was contained within a “world-readable” folder. Rather than being just a static file, the image was also reported to refresh any time the phone’s user swiped on the One Max’s rear sensor meaning that hackers could “sit in the background and collect the fingerprint image of every swipe of the victim.”
Speculating on how this would benefit hackers, the FireEye researchers describe how malicious malware could use these files to remotely access and harvest data stored within the phone.
They also note the wider implication that thefts of fingerprint scans could incur that does not arise from traditional security measures on mobile devices, as while passwords can be altered “fingerprints last for a life.”
While confirming that these security vulnerabilities have since been patched by the Taiwanese manufacturer, the report encourages prospective and upgrading Android users to “choose mobile device vendors with timely patching/upgrading to the latest version… and always keep your device up to date.”
The researchers presented their findings at last week’s Black Hat conference where it was also revealed that hackers have managed to remotely take over a Tesla car and where the full extent of the “Stagefright” Android bug was made public.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies