Security researchers who earlier this year exposed flaws in how Android stores fingerprint data have found that fingerprint files in a smartphone were stored as readable files.The FireEye researchers claim that in the HTC One Max, fingerprints were stored in an image file named dbgraw.bmp in an open, readable folder.”Not all the vendors store the fingerprints securely. While some vendors claimed that they store user s fingerprints encrypted in a system partition, they put users fingerprints in plaintext and in a worldXreadable place by mistake. One example is HTC One Max XX the fingerprint is saved as /data/dbgraw.bmp with 0666 permission (worldXreadable).”This storage method means anyone that who gained access to these files could edit them fingerprints, deleting them and even forcing fake fingerprint scans to pay for items.”Any unprivileged processes or apps can steal a user's fingerprints by reading this file,” the FireEye team says adding that every time the fingerprint is used to unlock the device, it refreshes the image map in that world readable folder so that it will show the latest swiped finger.Addressing other security flaws in android, the researchers added that even if the protection of fingerprint data in a so-called “TrustZone” is indeed trustworthy, it only means that the fingerprints previously registered on the devices are secured.”We found that the fingerprint sensor itself in many devices is still exposed to the attackers. Although the ARM architecture enables isolating critical peripherals from being accessed outside TrustZone (e.g. by programming the TrustZone Protection Controller), most vendors fail to utilize this feature to protect fingerprint sensors”.The research – by Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei of FireEye Labs – was presented at the BlackHat conference in Las Vegas last week.Last week, Zhang noted that Apple s iPhone, which pioneered the modern fingerprint sensor, is “quite secure,” as it encrypts fingerprint data from the scanner. In April, the pair showed how hackers merely need root-level access to Android to intercept the data. “If the attacker can break the kernel [the core of the Android operating system], although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time.”Every time you touch the fingerprint sensor, the attacker can steal your fingerprint,” Zhang was quoted saying to Forbes. At the time, a Samsung spokesperson told Forbes over email that it was investigating FireEye s claims.The researchers have recommended that mobile device vendors should improve the security design of the fingerprint auth framework with “improved recognition algorithms” against fake fingerprint attacks, and better protection of both fingerprint data and the scanning sensor.”Moreover, vendors should figure out how to differentiate authorization with authentication and provide context proof. The existing fingerprint auth standard should be further improved to provide more detailed and secured guidelines for developers to follow. Finally, given a security standard, vendors still need professional securityvetting/audits to enforce secure implementations.”

Also in the news:

Default ThumbnailIntegrated Biometrics unveils “Danno” Default ThumbnailReport: Israel facing biometric database woes Default ThumbnailWarwick Warp’s AFIS core matching engine powers forensic solution