Kardo Kristal
From Crystal Security
Thread author
Verified
Top Poster
Developer
Well-known
Forum Veteran
- Jul 12, 2014
- 1,143
- 7,365
- 2,079
- 33
For the past few years, both Apple and the various Android manufacturers have been pushing the idea of fingerprint readers, typically on the dubious grounds that biometric security is a better choice compared to a good passcode. New research from the security firm FireEye seems to blow that claim wide open, however. According to FireEye, multiple Android manufacturers protect your fingerprint so poorly, it can be read by plugging the phone into a computer and knowing which folder to access.
This is deeply problematic, considering that fingerprint readers are often used as the basis of payment authorization as well, but the FireEye report shines a critical eye on just how lightly most Android OEMs take device security. In theory, the fingerprints stored on an Android device are at least as secure as the kernel, with ARM’s TrustZone technology offering an additional layer of isolation and protection. In the real world, however, OEMs aren’t using this capability. FireEye’s report states:
One example is the HTC One Max — the fingerprint is saved as /data/dbgraw.bmp with 0666 world permission (world readable). Any unprivileged processes or apps can steal the user’s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage… To make the situation even worse, each time the [HTC] fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.
Full Story
This is deeply problematic, considering that fingerprint readers are often used as the basis of payment authorization as well, but the FireEye report shines a critical eye on just how lightly most Android OEMs take device security. In theory, the fingerprints stored on an Android device are at least as secure as the kernel, with ARM’s TrustZone technology offering an additional layer of isolation and protection. In the real world, however, OEMs aren’t using this capability. FireEye’s report states:
One example is the HTC One Max — the fingerprint is saved as /data/dbgraw.bmp with 0666 world permission (world readable). Any unprivileged processes or apps can steal the user’s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage… To make the situation even worse, each time the [HTC] fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.
Full Story
