Monday, August 10, 2015

Samsung and HTC phone users: do NOT enable the fingerprint option

The phone doesn't protect your fingerprint data:
Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max.
Oh, Come on I hear you say.  This is a Security feature, I hear you say.  Just how bad can it be?
The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder.

"Any unprivileged processes or apps can steal user’s fingerprints by reading this file," the team says, adding that the images can be made into clear prints by adding some padding.
Well there's your problem, right there ...


$5 gets you $10 that it's not just Samsung and HTC.  My advice is to turn off the damn fingerprint recognition and browse through the file system, deleting any .BMP files that look like biometrics.  And maybe run the phone through an industrial shredder ...

4 comments:

Old NFO said...

Don't use it now, don't plan to in the future...

Jake (formerly Riposte3) said...

Link?

Borepatch said...

Added. Thanks, Jake.

Jake (formerly Riposte3) said...

Also, deactivated (Galaxy S6). I never planned on keeping it on anyway, but it was interesting to play with, and occasionally convenient.

The thing for me, before seeing this, was that the cops can get a court order for you to unlock the phone with your fingerprint. but not for your code or swipe pattern. Just like they can force you to provide a key to a safe, but not a combination - fingerprints and keys are simply physical evidence, while an access code or combination is considered testimony against yourself.

Also, as was proven within a few days of the first iPhone with a sensor, all you need is a fingerprint lifted from another surface to bypass the lock. It's probably pretty easy to lift a usable fingerprint off of that nice, glossy surface on the fingerprint sensor, and as a bonus it's almost guaranteed to be the finger the device is looking for. Basically, the phone carries a publicly accessible key right in plain view.