FireEye: HTC Devices Leave Fingerprints Unencrypted

Fingerprint protection icons on green background.Security experts have found a serious vulnerability in HTC smartphones. Presenting their findings at the Black Hat USA 2015 conference, the FireEye researchers said that HTC smartphones store users’ fingerprint data in unencrypted image files.

Worse, the image files are not stored in any kind of secure partition, and are “world readable”, meaning that, as the FireEye experts put it, “[a]ny unprivileged processes or apps can steal” the user data. They pointed to the HTC One Max X specifically, but suggested that this is a problem affecting a range of HTC devices.

The researchers also note that HTC as well as Samsung and other companies don’t take advantage of the ARM-based chip security features available on most smartphones, meaning that the devices’ fingerprint sensors themselves are left open to attack; hackers can theoretically steal data whenever a user swipes or presses her finger. That’s an embarrassing revelation for those companies in the wake of other researchers’ discovery that fingerprint biometric data could be copied from the Samsung Galaxy S5 and HTC One Max.

Samsung has since announced that it’s going to implement monthly security updates for its Android devices, but HTC has so far remained relatively quiet. While these kinds of security breaches are presumably already unsettling for most consumers, they’re going to be all the more alarming as more users start authenticating mPayments on platforms such as Samsung Pay and Google Pay – often via their fingerprints alone. It’s therefore in everyone’s interest to make sure that such biometric data is both secure and perceived as secure.

Source: The Guardian