HTC caught storing fingerprint data in unencrypted plain text
#1
For the past few years, both Apple and the various Android manufacturers have been pushing the idea of fingerprint readers, typically on the dubious grounds that biometric security is a better choice compared to a good passcode. New research from the security firm FireEye seems to blow that claim wide open, however. According to FireEye, multiple Android manufacturers protect your fingerprint so poorly, it can be read by plugging the phone into a computer and knowing which folder to access.

This is deeply problematic, considering that fingerprint readers are often used as the basis of payment authorization as well, but the FireEye report shines a critical eye on just how lightly most Android OEMs take device security. In theory, the fingerprints stored on an Android device are at least as secure as the kernel, with ARM’s TrustZone technology offering an additional layer of isolation and protection. In the real world, however, OEMs aren’t using this capability. FireEye’s report states:

One example is the HTC One Max — the fingerprint is saved as /data/dbgraw.bmp with 0666 world permission (world readable). Any unprivileged processes or apps can steal the user’s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage… To make the situation even worse, each time the [HTC] fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.
[Image: HTC-One-Max.png]



HTC takes the cake for absolute worst exposure of critical security issues, but vendors like Samsung aren’t exactly doing a bang-up job, either: FireEye also reports that the fingerprint sensor is itself vulnerable to attacks. ARM’s TrustZone offers the ability to isolate peripherals, but no vendors currently take advantage of it. The image below shows how the system should work (at top) with TrustZone functioning properly, versus how it’s actually programmed in today’s real-world devices. Because normal applications can query the sensor, they can also be used to take background readings every time someone touches it, record their fingerprint data, and relay it to third parties or hacking outfits.

[Image: TrustZone-640x597.png]

While only HTC was found to be blatantly storing user data where literally anyone could reach it, the fact that the fingerprint sensor could be accessed or hacked via already-known exploits in the Android kernel means that the biometric authorization schemes in the vast majority of phones aren’t secure — and that’s before we consider Android’s terrible security model that leaves users with no means of installing or updating their devices with critical security fixes if Samsung or other manufacturers don’t push them out in the first place. Several OEMs have recently pledged to change these practices, but it’s too soon to judge if they actually will.


Fingerprint sensors aren’t secure, and neither is much else

If you’re depending solely on a fingerprint scanner to secure your device, you really ought to rethink that strategy, even if you don’t have an Android phone. Courts have ruled that while the police can’t force you to disclose a passcode, they can fingerprint you without consent — and that means your device can be unlocked whether you agree to it or not. Ideally, users could use both a security code and fingerprint to keep a device locked, but I’m not sure which modern smartphones, if any, offer this option.
What’s even more troubling, however, is the cavalier way the Android OEMs have approached the topic. It’s not hard to see why Samsung’s security model is flawed and HTC’s is completely broken — it costs nothing to claim to care about user security online, while actually implementing security procedures is a time-consuming and expensive process. Most people don’t buy phones based on how secure they are, and even the handful of buyers who prioritize the feature aren’t usually equipped to objectively evaluate whether or not a product lives up to its expectations.

Over the past few months, I’ve repeatedly referred to the hypocritical way that corporations and the government tell users to respect privacy, while simultaneously encouraging users not to care. It would be impossible to tell if HTC suffered any negative impacts from this news, given the terrible shape that the company is in right now, but manufacturers like Samsung have suffered no serious problems. Samsung has lied about the encryption on its televisions, left an estimated 600 million of its customers vulnerable to hacking thanks to a broken keyboard application, and smashed Microsoft’s Windows security model by shipping systems with Windows Update disabled. Why? Because it couldn’t be bothered to configure the update policy on one specific component.

Everything Samsung has done this year pales in comparison to Lenovo, whose Superfish debacle was one of the worst security flaws since Sony thought installing rootkits was a good idea. I didn’t think we’d see Lenovo feat topped anytime soon — until Chrysler managed to ship a jeep so fundamentally broken, it could be used to cripple vehicles and potentially kill people.

Given the state of the software currently used to connect our devices, don’t depend on any single metric, whether it’s a passcode or a fingerprint device. Problems like this will persist until companies learn that effective security is critical to establishing trust in the long run, even if it isn’t a sexy point you can drop on a marketing slide.

http://www.extremetech.com/mobile/211985...plain-text
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Speech to text Kibri 3 3,656 Oct 26, 2023, 10:35 am
Last Post: gulshan212
  EA data leak (751GB) JC-4002 2 13,548 Aug 03, 2021, 19:59 pm
Last Post: RobertX
  Storing media on Google Drive? runswithascript 1 10,141 Jan 11, 2020, 09:30 am
Last Post: RodneyYouPlonker
  Win/client crash - Lost all data in torrents dueda 31 53,776 Jul 01, 2018, 13:35 pm
Last Post: 0zz0
  apk versus apk+data piano0011 2 14,783 Oct 19, 2017, 23:33 pm
Last Post: contrail



Users browsing this thread: 1 Guest(s)