HTC fingerprint scanner weakness exposed, as security files stored in an unencrypted folder

While recent smartphones have opted for deeper fingerprint security options, researchers have found fatal flaws in file structures behind the sensors included on Android devices that were early adopters of the technology

Oliver Cragg
Monday 10 August 2015 17:39 BST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Researchers have shown how weak security in major Android phones could let them steal fingerprints and then people's most personal information.

While Samsung’s Galaxy S5 was also named in their report it was HTC’s One Max – a 5.9 inch display phablet released in 2013 – that came under the most scrutiny.

The report claims that an exact replica of the user’s fingerprint scan was stored as a plaintext .bmp file on the One Max and was contained within a “world-readable” folder. Rather than being just a static file, the image was also reported to refresh any time the phone’s user swiped on the One Max’s rear sensor meaning that hackers could “sit in the background and collect the fingerprint image of every swipe of the victim.”

Speculating on how this would benefit hackers, the FireEye researchers describe how malicious malware could use these files to remotely access and harvest data stored within the phone.

They also note the wider implication that thefts of fingerprint scans could incur that does not arise from traditional security measures on mobile devices, as while passwords can be altered “fingerprints last for a life.”

While confirming that these security vulnerabilities have since been patched by the Taiwanese manufacturer, the report encourages prospective and upgrading Android users to “choose mobile device vendors with timely patching/upgrading to the latest version… and always keep your device up to date.”

The researchers presented their findings at last week’s Black Hat conference where it was also revealed that hackers have managed to remotely take over a Tesla car and where the full extent of the “Stagefright” Android bug was made public.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in