back to article HTC caught storing fingerprints AS WORLD-READABLE CLEARTEXT

Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder. "Any …

  1. This post has been deleted by its author

    1. Rolf Howarth

      I'm curious at a practical level how knowing what someone's fingerprint looks like can help you empty their bank account. I mean, every time you go touch something you leave a fingerprint, so if they wanted to someone could dust it off and photograph it and perhaps even transfer it to a rubber mould or something. But then what? They'd need physical possession of your mobile phone wouldn't they?

      Assuming I was a malware author and had remote access to someone's phone half way round the world how does reading the fingerprint image by itself help me in any way? On the other hand, if I've got control of their phone then logging all the user's password and PIN key presses, and monitoring their email in box for password reset emails and redirecting those to my account, would seem a lot more fruitful.

  2. Anonymous Coward
    Anonymous Coward

    Try again, no rush

    As has been said on here many times, you cannot change your fingerprints.

    Once your fingerprints are compromised what do you do, thank HTC for their broad and non-personal apology (if they issue one)?

    If a load of user accounts are compromised and then everyone updates their password, the attacker's password data is useless. Not so with fingerprints... they just need another half arsed attack later to get some more unchangable data and then another minor compromise ... none of the stolen data on finger prints gets old.. its valid data until you die.

    My bank give me 2 part auth with a rotating RSA key style dongle... this must be a better direction to be going right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Try again, no rush

      Except that RSA's SecurID system was itself successfully hacked back in 2011 in (guess what?) "an extremely sophisticated cyber attack".

    2. Alan Brown Silver badge

      Re: Try again, no rush

      My bank has just dumped the RSA key. Apparently users found it too hard.

      As for fingerprints: you (usually) have 10. The one which unlocks my phone isn't used for other things.

      OTOH my wife has no detectable fingerprints. That makes any assumptions based on biometrics invalid and UKBA can't handle it at all. At least with phones there are alternate ways to authenticate.

  3. Pascal Monett Silver badge

    I wonder how many people will be bitten by these biometric shenanigans

    This biometric craze will continue until something bad happens, and the HTC One is apparently a very good contender for conveying a load to the rotating blade device.

    Biometrics seem a neat idea for security, but we don't know how to make good security on the Internet.

    Until we do, best not use a token that cannot be changed when it's compromised.

    1. Mark 85 Silver badge

      Re: I wonder how many people will be bitten by these biometric shenanigans

      Might even be a better idea not to use a mobile device for banking or anything sensitive. Steal one of the affected phones in the article and you own the poor guy's/gal's bank account and just about everything else. Anymore, don't even need to physically steal the phone.

      Just a thought but it works for me. Hell, steal my phone you have bumpkiss for personal data.

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder how many people will be bitten by these biometric shenanigans

        I steal your phone from you I know what you look like and I have at least your phone number. That phone number is linked to many other accounts some public some can become public with very little effort or information. Phone numbers are now being used to link various accounts and activities which is why they are so often and they have to be paid for by someone somehow.

        Data with a phone number is worth more than most think.

        Until we own the data we generate and data that describes or identifies us we can't even ask for privacy or protection, well I guess we can ask.

        1. Yet Another Anonymous coward Silver badge

          Re: I wonder how many people will be bitten by these biometric shenanigans

          And they know which bank you use because it's in your browser history - along with all the other sites you have an account on.

          And they have your live email feed so they can do a "forgot your passes" request on all of them and harvest them from your phone.

        2. Tom 38 Silver badge
          Headmaster

          Re: I wonder how many people will be bitten by these biometric shenanigans

          I steal your phone from you I know what you look like and I have at least your phone number.

          Grammar pedant - is this a threat, or am I supposed to insert the words "If", "then" and "will" in the appropriate places? If the former, slightly concerned about leaving work without first putting on a disguise.

      2. oiseau Silver badge
        Thumb Up

        Re: I wonder how many people will be bitten by these biometric shenanigans

        > Might even be a better idea not to use a mobile device for banking

        > or anything sensitive.

        AT LAST !!!!

        Finally some common sense.

        Eventually it will prevail but not before (at some point) all hell breaks loose.

    2. Mage Silver badge
      Coat

      Re: I wonder how many people will be bitten by these biometric shenanigans

      Biometrics seem a neat idea for security, but we don't know how to make good security on the Internet.

      Only seem. It was always a truly bad idea and real security experts knew it.

    3. Anonymous Coward
      Anonymous Coward

      Re: I wonder how many people will be bitten by these biometric shenanigans

      > Biometrics seem a neat idea for security, but we don't know how to make good security on the Internet.

      Biometrics form a useful basis for public identification, when backed up with multiple approaches (as any single biometric is easy to spoof, you generally have to stack up multiple to get statistically reliable coverage).

      Identification != Security.

    4. Anonymous Coward
      Anonymous Coward

      Re: I wonder how many people will be bitten by these biometric shenanigans

      Bio-metrics should never have been used as a method for authentication, it should only be used as identification in the authentication process. For example instead of using a username, use a finger print, or iris scan or what ever, as its something everyone can get access to and doesn't compromise anything if stolen, as the secret (password), which should always be able to be changed, isn't compromised, but if it is, can be altered.

    5. Destroy All Monsters Silver badge

      Re: I wonder how many people will be bitten by these biometric shenanigans

      Biometrics seem a neat idea for security, but we don't know how to make good security on the Internet

      Biometric data is your NAME.

      What is your PASSWORD??

      1. Dan 55 Silver badge
        Trollface

        Re: I wonder how many people will be bitten by these biometric shenanigans

        The password will be a DNA sample.

  4. Hans 1 Silver badge

    >The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder.

    NSA directive ?

  5. Mage Silver badge
    Facepalm

    Biometrics

    Scrap them now.

    The whole concept is broken.

    No matter the regulations, specs or systems data is stolen (sometimes insiders or governments). Passwords may be awkward, but at least after a breech they can be changed. Smart & careful people can use a different good password for each different thing (Hello Google?).

    One "key" for everything is daft, yet biometrics can too easily become that and can't be changed.

    Security access passwords / codes need to be user changeable.

    1. Ben Tasker Silver badge

      Re: Biometrics

      Precisely, even when we're 100% certain we've got it right, authentication tokens need to be revokable and replaceable for when we find out we were wrong.

      As others have said, biometrics have a good potential use as an identifier (i.e. a username) but really are bugger all use as a single authentication method.

      As part of a two-factor authentication method, they have some merit from being less fiddly, more straightforward than a otp generator. With the massive drawback of being irreplaceable the second a manufacturer cocks up. The solution in that case would be to revert back to hardware tokens, so why waste time/money on biometrics in the first place? Not to mention what happens about getting other sites/services/suppliers to stop honouring your biometrics.

      And that's taking a somewhat generous view of the possible worst case scenarios..... so yeah, not for me...m

  6. frank ly Silver badge

    I don't trust anybody to get it right.

    Not now, not ever again.

  7. lukewarmdog

    bank on it

    If it can be broken, somebody will.

    Admittedly you shouldn't make it easy for them.. but remember the days when your phone was just a phone? Not really sure why it had to become the single place you keep all your data any more than why your car keys didn't become the same thing.

    I don't use my fingerprint on my phone to activate recognition so I can log onto my bank, touchID does log me in (most of the time) to the phone but then I go online and enter a ton of details. If you stole my fingerprint I'm not really sure what good it would do you in my case.

  8. hapticz

    ten fingers, ten subtle signature variations!

  9. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Wow, are you saying that the researchers didn't parse debug raw bitmap from that filename?

      My question is if you replace that file and make it read-only, can you scan a new fingerprint (anyones) and get the device to crypt your copy of dbgraw.bmp?

  10. VinceH Silver badge

    "The researchers point out that this is a very serious mistake by citing research predicting that fingerprint scanners will exist in about half of all phones sold in 2019."

    That doesn't mean that fingerprints will be used in about half of all phones sold in 2019.

    I have no intention of ever willingly using a fingerprint scanner in a phone (or anywhere else) for security purposes - not least because if biometric data is used it should be for identification purposes, not security.

  11. RobertTriber

    Another proof that Android isn't secure

    Apple is doing it better than others.

    Encrypted fingerprint data, secured chip to store that data, physical separation between the chip and the rest of the system.

    1. Meerkatjie

      Re: Another proof that Android isn't secure

      Only because Apple is not letting anyone else play in their playground. From the article it appears that Google did put something into Android that would have protected the biometrics but HTC didn't use it.

      1. Click King

        Re: Another proof that Android isn't secure

        Repeat again after me:

        the clusterfuck that is Android security is not Google's fault

        the clusterfuck that is Android security is not Google's fault

        the clusterfuck that is Android security is not Google's fault

        the clusterfuck that is Android security is not Google's fault

        the clusterfuck that is Android security is not Google's fault

        the clusterfuck that is Android security is not Google's fault

        1. Anonymous Coward
          Anonymous Coward

          Re: Another proof that Android isn't secure

          Not sure if you're being sarcastic, but if not, then why isn't it Google's fault?

          And if not Google, then in your view who's fault is it? Just another case of collective finger-pointing like the final scene in Reservoir Dogs?

          They can force oem's to include Play etc in order to get all the other Google goodies, so why didn't they also insist any security patches must also be included and distributed?

          (Yes, i'm aware the no-name oem's don't play ball, but we're talking about HTC here)

          1. fajensen Silver badge
            Angel

            Re: Another proof that Android isn't secure

            Not sure if you're being sarcastic, but if not, then why isn't it Google's fault?

            Because "Google" is re-branding itself as "Alphabet"?

    2. Anonymous Coward
      Anonymous Coward

      Re: Another proof that Android isn't secure

      Hah - Apple is just better as Monopolising user data and controlling the value chain. Those TLA's and Russian ganbangers would not pay for privileged access if they can simply get their boys to bypass the "Pay-to-Play" API provided.

    3. mythicalduck

      Re: Another proof that Android isn't secure

      Apple is doing it better than others

      Wut?

      http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulnerable_to_touchid_fingerprint_hack/

      1. asdf Silver badge

        Re: Another proof that Android isn't secure

        >http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulnerable_to_touchid_fingerprint_hack/

        Big difference between experts hacking away for hours to defeat the scanner on a device they must have physical access to and on the other hand possibly giving the internet access to your fingerprints in digital form for eternity. The jury may be out on some of the other platforms but Android security (especially with 2nd rate Asian vendors) is a melting on your neck tire fire.

  12. Someone Else Silver badge
    Devil

    In other news...

    ...Microsoft is hyping biometric security in Windows won? Ohhh... in their current most laughable series of promotional material. The mind boggles at the concept of <sarcasm> that bastion of software security Microsoft </sarcasm> trying to manage biometric data.

    Tags added for clarity

    1. asdf Silver badge

      Re: In other news...

      Well they have at least one example platform of how not to do it.

  13. Alan Thompson

    Multi-Factor Authentication is a False Concept

    Mutli-factor authentication has been described as:

    1) Something you Know (i.e. password/passphrase)

    2) Something you Have (e.g. bankcard or security token)

    3) Something you Are (i.e. bio-metrics) and

    4) Some Place you are (e.g. GPS coordinates, IP address, hard-line phone call)

    Unfortunately every single one of these factors - once recorded in a computer security system - becomes 1) Something [someone] Knows. When that happens all authentication becomes (sometimes multiple) single factors of knowledge (e.g. bankcard numbers, token algorithms and secret keys, images and/or numeric recordings of bio-metric data, etc.).

  14. herman Silver badge

    Prints are left everywhere

    You leave your prints everywhere you go. HTC is doing nothing that you are not doing yourself all the time. Prints should not be used for a simple security system.

    1. MD Rackham

      Re: Prints are left everywhere

      Write someone a check.

      You've just given them your bank account number, signature, and fingerprints. And usually address and phone number.

      1. Androgynous Cupboard Silver badge

        Re: Prints are left everywhere

        Precisely why no one has written a check (cheque) in Europe for years (unless they've employed builders, they're retired, or they're issuing a refund on behalf of a large organisation that insists YOU pay THEM electronically)

  15. WikusVanDeMerwe

    Eyeball on a pen...

    I honestly don't know why people are amazed when a fairly recent technology combined with fairly recently written software turns out to have the same capacity for securing a device as a sieve has for carrying water.

    On a daily basis my underlings scoff and poke fun at me for having a phone that doesn't do contactless payments, unlock via my fingerprint or even 'go online'. I tried pointing out that to me a phone is simply that and I'm more than happy without carrying nearly a thousand pounds of easily taken equipment which contains a wealth of personal data critical to the functionality of my life.

    Call me old and boring but hey I've never yet been mugged for my cellular phone and if I had been well at least it would make any difference to the security of my bank logins...

    I suppose what I'm trying to say here in a round about way is that mobile phones have become too heavily integrated into our lives for their own good and that collection of vintage pda's I use to store contacts and passwords and meeting notes is entirely un-hackable by today's quick fix script kiddie "hackers" who wouldn't know the IRDA protocol if it slapped the iphone6 out of their grubby mitts.

    Have you ever watched a modern tech user try and perform a serial based hot-sync? Used the "pc card" interface with an Atari Portfolio? They mock me for not toting up to the minute pocket tech, I mock them back for having no idea how a computer actually works and being too gullible or naive to not fill their back pocket with every login they hold dear.

    Security = out of date technology.

    1. Steven Roper

      Re: Eyeball on a pen...

      "Security = out of date technology."

      Yep, this. With the recent spate of ransomware attacks, given the fact that ransomware silently encrypts and decrypts files for a long period before locking you out and demanding the ransom (so as to encrypt backups as well) my colleagues asked me how we could ascertain if we were infected with ransomware, given that it's indetectable until it triggers.

      My response was to set up an old Windows 98 machine (because it lacks the NT kernel modern malware requires to work) not connected to any network, and to have everyone in the office save a text file onto a thumb drive and try to read it on the '98 machine. If it can't because the file has been silently encrypted and the malware can't install itself on the '98 machine to disguise this fact, we know we've been infected and can begin recovery procedures.

      So far we haven't been, mainly because I've promised to go Ramsay Bolton on the arse of anyone I catch clicking a link in an email, opening an attachment or plugging an unauthorised USB stick into our system!

  16. Loyal Commenter Silver badge

    Broken Implementation

    A correct implementation of a fingerprint scanner takes a scan of your finger as the input, and produces a hash as an output. At no point should it be producing an image of the finger and putting it anywhere outside of its own working space, and it certainly shouldn't be writing it to a file!

    1. Anonymous Coward
      Anonymous Coward

      Re: Broken Implementation

      I'm not sure this would work. How does the hash work? Fingerprints vary slightly even from one impression to the next because fingers are flexible and their water content varies with time. Your hash algorithm has somehow to ensure that the expected variations in a fingerprint result in the same hash each time, and this is going to be difficult. If the hash is structured in some way it is open to reverse engineering, and if it throws away enough information to allow varying prints to give the same hash it may be open to brute force.

      1. Tom 38 Silver badge

        Re: Broken Implementation

        I'm not sure this would work. How does the hash work?

        qv acoustic fingerprinting

        Acoustic fingerprints are not bitwise fingerprints, which must be sensitive to any small changes in the data. Acoustic fingerprints are more analogous to human fingerprints where small variations that are insignificant to the features the fingerprint uses are tolerated. One can imagine the case of a smeared human fingerprint impression which can accurately be matched to another fingerprint sample in a reference database; acoustic fingerprints work in a similar way.

        1. Anonymous Coward
          Anonymous Coward

          Re: Broken Implementation

          "One can imagine the case of a smeared human fingerprint impression which can accurately be matched to another fingerprint sample in a reference database"

          That doesn't answer my question; I asked about fingerprint hashes, this refers to "another fingerprint sample in a reference database", no hashing implied.

          Acoustic fingerprinting, on the other hand, needs FFT (or that was how we were implementing it), and its resolution depends on the number of frequency buckets and the permitted amplitude range within a bucket. If you know the number of buckets and the range, you can fake an acoustic signal with the same fingerprint.

      2. Loyal Commenter Silver badge

        Re: Broken Implementation

        @Arnaut

        Here, let me google that for you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019