Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Cellphones

HTC Doesn't Protect Fingerprint Data 66

An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.
This discussion has been archived. No new comments can be posted.

HTC Doesn't Protect Fingerprint Data

Comments Filter:
  • Amateurs (Score:5, Funny)

    by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday August 10, 2015 @08:34AM (#50283841)

    The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access.

    What a bunch of amateurs. Everyone who's learned a thing or two about graphic file formats knows that PNG is much superior.

  • by gstoddart ( 321705 ) on Monday August 10, 2015 @08:38AM (#50283861) Homepage

    Even if we trusted that vendors weren't lazy, incompetent, and indifferent to security (and that is a big if) ... why should we be entrusting them with our biometric data in the first place?

    Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.

    Sorry, but until such time we get to use the CEO as a pinata for bad security, assume there simply is none. Because that's where we're at right now.

    With no penalties for crap security, they're not going to implement good security. Stop treating them as if they have.

    I'd wager that if you bought 20 products which claim to have security features, likely all 20 of them are easily defeated or bordering on non-existent in terms of actual security.

    • by macs4all ( 973270 ) on Monday August 10, 2015 @09:23AM (#50284107)

      Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.

      Not all of them.

      For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.

      Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.

      Easier and cheaper to just to apply blowtorches and pliers to the actual fingerprint-holder, as per the obligatory XKCD 'toon.

      • by tlhIngan ( 30335 )

        For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.

        Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.

        Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private

        • Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private key thing to keep the fingerprint secure.

          So not only is the information in the secure enclave, but it's traffic is secured by the hardware. Two reasons - one, to prevent sniffing, and the other, to prevent malware from commandeering the fingerprint reader.

          You're right. I'd forgotten about those details.

        • Not that it really matters, and the damned things aren't very accurate or secure anyway.

          That myth was busted on Mythbusters a number of years ago, and the technology hasn't really changed significantly since.
    • You should also assume they'll hand any of this crap over to governments if they demand it.

      Due to that child abduction prevention database that came to my school when I was a kid, and my inherent inability to keep my mouth shut when interacting with the police; the government already has several copies of my full fingerprint sets on file. I can safely assume that I'm not the only one that falls into a similar category so, I'm not to saying that your concern is invalid, it's simply redundant.

      The real question this brings up is "how secure is your fingerprint as a means of identification?". And the

  • by metamatic ( 202216 ) on Monday August 10, 2015 @08:46AM (#50283897) Homepage Journal

    All the affected people have to do is change their fingerprints.

  • by Anonymous Coward

    In related news, a burglar was arrested because he left an ID card in the house...

  • Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .
    • Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .

      Fingerprints are not usernames nor are they passwords. Security comes from having Things-You-Are, Things-You-Have, and Things-You-Know. Good security typically involves at least two of those Things if not all three. No security is unbreakable. Both usernames and passwords fall into the Things-You-Know which is why they are relatively easy to crack. This is why two factor authentication is a good idea because it generally relies on both a Thing-You-Know and a Thing-You-Have. Fingerprints are a Thing-Y

      • I disagree with the premise that security comes from "Things you are. Things you have. And Things you know"

        True security is a web of trust relationships. I can present a badge (things you have) , and pretend to be someone else (things you are) and even have some knowledge (things you know) and still be lying. REAL security is verifying these things against another "trusted" source.

        If I present a ID card representing ABC Corp, saying my name is Archie Angel and pretend to know what I am doing (here to check

  • by nbvb ( 32836 ) on Monday August 10, 2015 @09:03AM (#50283983) Journal

    I know that it's all the rage to crap on Apple, but compare this "approach" to security vs Apple's approach ...

    https://www.apple.com/business... [apple.com]

    Apple isn't perfect by any means but at least they put the time and energy into actually trying to do the right things. They make mistakes - like everyone else - but at least there's some forethought.

  • I think there's a fundamental misunderstanding of biometrics and biometric security that is prevalent throughout much of the industry, and it's often expressed as "biometrics are identifiers, not passwords!", though usually with more exclamation points, or the verbal equivalent, except when the even more foolish version "biometrics are passwords" is used.

    These statements are wrong. Biometrics are not identifiers. They're lousy identifiers, actually, since identifiers need to be unique and consistent, while biometrics aren't either. Biometrics are also not passwords. Passwords rely on secrecy and need to be rotated. Biometrics are not secret and cannot be rotated.

    But, if biometrics don't fit into either of these buckets we're accustomed to, if they're not usernames and not passwords doesn't that mean they're useless? No, it does not.

    Biometrics are authenticators. Passwords are also authenticators, but they operate on different principles, validating information that is expected to be a secret. Biometrics attempt to validate the presence of a physical body that is the one expected. What's funny about this to me is that humans, in general, are extremely comfortable with biometric identification and authentication because it's the way we identify and authenticate everyone around us all the time. But we've trained ourselves to think differently about these issues in the context of computer security. (Note that personal identification is considered the best form of authentication in physical security systems as well... the biometric auth systems built into our heads are extremely hard to fool at close range with more than a few seconds' interaction).

    Biometric authentication provides security without relying on the secrecy of your fingerprints, because they aren't. You leave them everywhere you go all over everything you touch. Including, by the way, your phone. They provide security because it is supposed to be hard for anyone else to use your fingerprints, even if they know exactly what they look like, to unlock your phone. That is, the security comes from the meat/sensor interface, not from the content of the data delivered via that interface.

    This fact points out some rather obvious potential exploits. Since making gummy fingers isn't particularly hard, and since phone sensors aren't very good at distinguishing between real fingers and fake fingers, the security level isn't very high against an attacker who is willing to go to the effort of lifting a print and making a fake finger. It's also not good against an attacker willing to crack the phone open and replay image data directly to the system, bypassing the sensor.

    Fingerprints provide a very different security model than passwords. They're stronger against casual attackers (can't be shoulder surfed; often hard to phish), but potentially weaker against more sophisticated attackers, and don't rely on secrecy.

    With this proper contextualization, it's clear that the "attacks" referenced in the article are non-issues. Leaking your fingerprints isn't a security problem, it's a privacy problem. Fingerprints are like any other PII (personally-identifiable information) on your phone. The device should secure PII against remote extraction, and should make it reasonably hard for local attackers to get. But when the attack begins with, step 1, "root the device", I just tune out, because of all of the PII on my phone, my fingerprints are among the least important.

    • Passwords rely on secrecy and need to be rotated.

      Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument. All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.

      • Passwords rely on secrecy and need to be rotated.

        Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument.

        The longer you keep a password, the more likely it is that it has been compromised in some way. Rotating it closes the window of vulnerability.

        All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.

        You're assuming that you have some indication that your password is compromised. You may not, which means the barn won't get locked. Unlike the horse/barn analogy, there is often value in locking up even after the attacker has been in.

        With that said, if you have a decent password and reasonably-good password security habits (e.g. don't use it on multiple systems),

  • Biometric data is *NOT SECRET* and never has been. The idea isn't "nobody has access to your fingerprints", it's "if you control the device, and can monitor the person attempting to access the device, you can easily detect attempts to use someone else's data"

    eg: Yes, your fingerprint reader can be defeated by the person holding a photocopy of someone else's hand. If you leave them alone with the device, they can also defeat it by pulling the back cover off, so that's not particularly an issue.

  • ... is that you don't generally have any real ability to limit anyone else from collecting your fingerprints without wearing gloves everywhere... and if you are even *suspected* of a crime, you have no legal right at all to refuse to be fingerprinted by law enforcement (if you are acquitted, you can usually request that the information be destroyed, however, YMMV on this, depending on the jurisdiction). At least with passwords, you can simply refuse to divulge them. Some jurisdictions may throw a person
  • so where is the example of me calling someone a liar? questioning facts & logic is honest disagreement U should try that approach [Rep. Dana Rohrabacher (R-CA), 2015-08-24] [twitter.com]

    I've repeatedly [twitter.com] showed [twitter.com] Dana links [slashdot.org] to his incredibly ironic accusations of dishonest lying fraud. Here are just a few:

    whoever gave U the 97 percent scientists endorsing Man made Global warming theory is lying 2 U. [Rep. Dana Rohrabacher (R-CA), 2013-07-05] [archive.is]

    97% is fake number & reflects dishonesty of those giving U info on

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...