News

HTC Stores Fingerprints and Handles Them in a Bad Way according to FireEye

In an report published by The Inquirer (UK) HTC was found out to be storing its users' fingerprints as image files in an unencrypted folder and that the hardware firm was identified as a security liberty taker during a Black Hat event in the US.

According to this site, the researchers at a security firm called FireEye was the one who picked up the problem and has released a report into the problem called Fingerprints On Mobile Devices: Abusing and Leaking(PDF) by Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei. Furthermore, MobileIDWorld reported that FireEye, during a presentation at the Black Hat USA 2015 conference, had said that HTC smartphones store users' fingerprint data in unencrypted image files.  FireEye warned that with how HTC stores them, the fingerprints are easily retrievable and are not as easily reset as a text password.

The Inquirer quotes what the researches had said as a warning, "How secure those fingerprint frameworks are designed remains the customer's biggest concern. In the traditional password-based auth systems, victims can easily replace the stolen passwords with a new one. But fingerprints last for a life - once leaked they are leaked for the rest of your life."

"Moreover fingerprints are usually associated with every citizen's identity, immigration record, etc. It would be a hazard if the attacker can remotely harvest fingerprints on a large scale."

So how serious is this finding by the security firm? The site reports that FireEye said that an attacker could use something called a "confused authorisation attack" to trick the device and system into authorizing a payment when the user believes that they are "swiping [their] finger to unlock the device". Furthermore, FireEye explained how HTC devices save fingerprints as .bmp files with 0666 permissions, meaning such format is world-readable and with this the firm further warns that an cyber-attacker can just sit back, relax and easily collect a heap of digital digits.


Join the Discussion
Real Time Analytics