HTC Doesn't Protect Fingerprint Data 66
An anonymous reader writes: Biometric authentication is becoming commonplace — fingerprint scanners have been used on laptops for years, and now they're becoming commonplace on phones, as well. As more devices require your fingerprint to unlock, it becomes more important for each of them to guard that data. It's significant, then, that researchers from FireEye were able to easily grab fingerprint data off several recent phones. The most egregious offender is the HTC One Max, which stores the fingerprint comparison image as a simple .BMP file in a folder that's open to access. "Any unprivileged processes or apps can steal user's fingerprints by reading this file." According to the research they presented at Black Hat (PDF), it would also be simple for hackers who have remotely compromised the device to upload their own fingerprints to grant themselves physical access.
Amateurs (Score:5, Funny)
What a bunch of amateurs. Everyone who's learned a thing or two about graphic file formats knows that PNG is much superior.
Re: (Score:2)
You're better off with the heavy duty black nitrile gloves. Just be sure to stock up on talcum powder so your hands don't look like they've been soaking in dishwater for four hours.
Re: (Score:1)
and of course, destroy the gloves after use.
Don't use this stuff ... (Score:3)
Even if we trusted that vendors weren't lazy, incompetent, and indifferent to security (and that is a big if) ... why should we be entrusting them with our biometric data in the first place?
Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
Sorry, but until such time we get to use the CEO as a pinata for bad security, assume there simply is none. Because that's where we're at right now.
With no penalties for crap security, they're not going to implement good security. Stop treating them as if they have.
I'd wager that if you bought 20 products which claim to have security features, likely all 20 of them are easily defeated or bordering on non-existent in terms of actual security.
Re:Don't use this stuff ... (Score:5, Informative)
Corporations want to sell a product, sell advertising, and don't give a damn about your security or privacy. You should also assume they'll hand any of this crap over to governments if they demand it.
Not all of them.
For example, in iOS Devices, even the Device itself can't retrieve the biometric data. It is locked inside a "secure enclave" chip, that has ZERO exposure to the rest of the system.
Neither Apple, nor anyone else, including the Gummint, can access that information without physically taking apart the Secure Enclave chip and using God-Knows-What to read the memory in the chip directly.
Easier and cheaper to just to apply blowtorches and pliers to the actual fingerprint-holder, as per the obligatory XKCD 'toon.
Re:Don't use this stuff ... (Score:5, Insightful)
I haven't heard of anyone cracking it yet, and that's the sort of thing you'd hear about immediately if it happened. Breaking into an Apple device comes with a lot of press and noise. It's something we'd all know about if it'd happened. We immediately heard about how the security of the device was 'compromised' if you had access to a lab, a really incredibly clear picture of a finger print, and more time on your hands than your average criminal would be willing to expend.
Based on that, I feel reasonably confident that there's been no breach of security of the secure enclave.
But even if there were, this theoretical setup of Apple's is an indication that someone that thinks about security was involved in the development. There's no image. There's not really even useful data being stored, per se. You put your finger on the sensor and it creates a cryptographic hash from your fingerprint data, and every time you want to unlock the phone, it goes through the process again and compares it against the data it has stored. It's not even clear to me that if you had what was in the enclave that you could unlock the phone with it. (Someone that understands the tech better than me can correct me.)
Re: Don't use this stuff ... (Score:2)
Last I read, the fingerprint system submits the numerical representation of the fingerprint to the Trusted Enclave, which responds with match or no match. You don't get to see existing fingerprint data.
Re: (Score:2)
And you believe this shit they spew?
Why yes. Yes I do. At least generally, and certainly about this particular subject.
Where's our open source / standard video conferencing protocol? If you're saying that some company sued them to prevent their use...
See? You answered your own objection. That was easy...
Remember when they sold LTE tablets in the UK that couldn't be used in the UK (it had US bands at the time)?
Nope. Never heard of that. According to your own words, you must've been the only one butt-hurt about that, apparently.
Re: (Score:3)
Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private
Re: (Score:2)
Even harder, in iOS, the fingerprint reader traffic is encrypted, and the reader and secure enclave do a public-private key thing to keep the fingerprint secure.
So not only is the information in the secure enclave, but it's traffic is secured by the hardware. Two reasons - one, to prevent sniffing, and the other, to prevent malware from commandeering the fingerprint reader.
You're right. I'd forgotten about those details.
Re: (Score:2)
That myth was busted on Mythbusters a number of years ago, and the technology hasn't really changed significantly since.
Re: (Score:2)
No SANE, rational person could read it in context, and honestly think it was a call for anybody to actually commit suicide.
You can't even get this right. What a loser.
Re: (Score:2)
I will say that people make mistakes. Like the time you claimed (as shown in one of your links above) that the Wegman report wasn't peer-reviewed. The report had been reviewed by no less than 6 other professional statisticians with no axe to grind, before it was presented.
I do not, at this time, think Rahmstorf is a criminal in any legal sense. I do think that using graphs that are created to mislead in order to press an
Re: (Score:2)
Jane, in less than an hour you changed from defending "Lonny Eachus' comment" to defending your comment! Are you actually such a pathological liar that you really think you can just shrug off your libelous attacks by saying they were "somebody's comments on Twitter"?
You haven't shown that any of my comments were intentionally libelous. I have already stated to you many times that I am not commenting to you about identity. I make no claims or denials... nor do I have any reason to do so.
But "pathological liar"? That's a libelous statement if I've ever seen one.
You have repeatedly (actually quite consistently, over a period of years) failed to demonstrate that I have intentionally lied about anything. Therefore you have excellent evidence that your frequent claims
Re: (Score:2)
Well, do you truly understand that EPA's proposed regulations (truly, no joke) declare your body a toxic polluter? Because you exhale 40,000 ppm CO2. [Lonny Eachus, 2014-10-27]
The EPA does not distinguish among sources, or whether it is "circulation". Emission is emission. Emission from vehicles burning ethanol is also "circulation", via a very real and rather simple cycle, yet EPA still classes it as emission. So you are wrong in principle and fact.
Apparently Lonny is still pretending to be confused about the fact that breathing is like the circulation pump in a pool. It simply can't raise CO2 levels.
Apparently you are confused about context. As usual.
Re: (Score:2)
No, Lonny. Your despicable statement was morally and scientifically wrong. He doesn't emit "a rather large amount all by himself" because breathing simply can't raise CO2 levels.
This is a CLASSIC straw-man argument. There was no claim that he raised CO2 levels. Only that he emits CO2. He does.
emit v. to send forth (liquid, light, heat, sound, particles, etc.); discharge.
There is nothing there about "increasing levels" or averages. Everbody knows what "emit" means, regardless of your attempts to narrow the definition to your liking. He does emit a rather large amount by himself, according to every common definition of the word "emit". As I illustrated above, CO2 from exhaust pipes from burning ethanol derived from organic sources goes through a very similar cy
Re: (Score:2)
Re: (Score:2)
Oops, forgot the ellipses:
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
You should also assume they'll hand any of this crap over to governments if they demand it.
Due to that child abduction prevention database that came to my school when I was a kid, and my inherent inability to keep my mouth shut when interacting with the police; the government already has several copies of my full fingerprint sets on file. I can safely assume that I'm not the only one that falls into a similar category so, I'm not to saying that your concern is invalid, it's simply redundant.
The real question this brings up is "how secure is your fingerprint as a means of identification?". And the
Re: (Score:2)
So you're saying "if you have nothing to hide you have nothing to fear", and that we should all accept a surveillance society because you've already been arrested.
Not even close, I'm saying that the information that GP was trying to protect is likely to already be on record. I can't wish away that they already have my fingerprints, that's just a fact that I and many others need to live with.
Re: (Score:2)
That's the great thing about biometrics (Score:5, Insightful)
All the affected people have to do is change their fingerprints.
upload their own fingerprints??? (Score:1)
In related news, a burglar was arrested because he left an ID card in the house...
It doesn't matter (Score:1)
Things you know, have and are (Score:3)
Fingerprints are Usernames, not Passwords. Using them as passwords is bad practice anyway .
Fingerprints are not usernames nor are they passwords. Security comes from having Things-You-Are, Things-You-Have, and Things-You-Know. Good security typically involves at least two of those Things if not all three. No security is unbreakable. Both usernames and passwords fall into the Things-You-Know which is why they are relatively easy to crack. This is why two factor authentication is a good idea because it generally relies on both a Thing-You-Know and a Thing-You-Have. Fingerprints are a Thing-Y
Re: (Score:1)
I disagree with the premise that security comes from "Things you are. Things you have. And Things you know"
True security is a web of trust relationships. I can present a badge (things you have) , and pretend to be someone else (things you are) and even have some knowledge (things you know) and still be lying. REAL security is verifying these things against another "trusted" source.
If I present a ID card representing ABC Corp, saying my name is Archie Angel and pretend to know what I am doing (here to check
Now compare this to Apple's approach (Score:5, Informative)
I know that it's all the rage to crap on Apple, but compare this "approach" to security vs Apple's approach ...
https://www.apple.com/business... [apple.com]
Apple isn't perfect by any means but at least they put the time and energy into actually trying to do the right things. They make mistakes - like everyone else - but at least there's some forethought.
Re:Now compare this to Apple's approach (Score:4, Insightful)
The difference between making a piece of hardware and making the whole widget.
I'll leave it as an exercise to the reader to identify which approach I prefer.
Re: (Score:2)
And I'm sure that every affected device has already been updated, in accordance with HTC's proactive support policies.
Since it has been patched, I'm also sure that there will never be any kind of mysterious regression where a future build exhibits the same issue. That could never happen.
Nothing more to see here, just move along.
Re: (Score:2)
And I'm sure that every affected device has already been updated, in accordance with HTC's proactive support policies.
Since it has been patched, I'm also sure that there will never be any kind of mysterious regression where a future build exhibits the same issue. That could never happen.
Nothing more to see here, just move along.
hmmm. The sarcasm is strong with this one....
Re: (Score:3)
Wonder what the patch is:
The ideal would be to not use a bitmap, but store some type of hash with a salt, as well as a part of the hashed value coming from a secure key store, for example sha3 (regular_nonce + fingerprint bitmap + nonce_stashed_in_secure_storage) . This means that if the hash was pulled off the phone, there is no way that it would be usable on other media.
If the bitmap -had- to be decrypted, again, it should be either encrypted and the key stashed in a protected part of the system, or at t
Repeat after me: Fingerprints are not secrets (Score:3)
I think there's a fundamental misunderstanding of biometrics and biometric security that is prevalent throughout much of the industry, and it's often expressed as "biometrics are identifiers, not passwords!", though usually with more exclamation points, or the verbal equivalent, except when the even more foolish version "biometrics are passwords" is used.
These statements are wrong. Biometrics are not identifiers. They're lousy identifiers, actually, since identifiers need to be unique and consistent, while biometrics aren't either. Biometrics are also not passwords. Passwords rely on secrecy and need to be rotated. Biometrics are not secret and cannot be rotated.
But, if biometrics don't fit into either of these buckets we're accustomed to, if they're not usernames and not passwords doesn't that mean they're useless? No, it does not.
Biometrics are authenticators. Passwords are also authenticators, but they operate on different principles, validating information that is expected to be a secret. Biometrics attempt to validate the presence of a physical body that is the one expected. What's funny about this to me is that humans, in general, are extremely comfortable with biometric identification and authentication because it's the way we identify and authenticate everyone around us all the time. But we've trained ourselves to think differently about these issues in the context of computer security. (Note that personal identification is considered the best form of authentication in physical security systems as well... the biometric auth systems built into our heads are extremely hard to fool at close range with more than a few seconds' interaction).
Biometric authentication provides security without relying on the secrecy of your fingerprints, because they aren't. You leave them everywhere you go all over everything you touch. Including, by the way, your phone. They provide security because it is supposed to be hard for anyone else to use your fingerprints, even if they know exactly what they look like, to unlock your phone. That is, the security comes from the meat/sensor interface, not from the content of the data delivered via that interface.
This fact points out some rather obvious potential exploits. Since making gummy fingers isn't particularly hard, and since phone sensors aren't very good at distinguishing between real fingers and fake fingers, the security level isn't very high against an attacker who is willing to go to the effort of lifting a print and making a fake finger. It's also not good against an attacker willing to crack the phone open and replay image data directly to the system, bypassing the sensor.
Fingerprints provide a very different security model than passwords. They're stronger against casual attackers (can't be shoulder surfed; often hard to phish), but potentially weaker against more sophisticated attackers, and don't rely on secrecy.
With this proper contextualization, it's clear that the "attacks" referenced in the article are non-issues. Leaking your fingerprints isn't a security problem, it's a privacy problem. Fingerprints are like any other PII (personally-identifiable information) on your phone. The device should secure PII against remote extraction, and should make it reasonably hard for local attackers to get. But when the attack begins with, step 1, "root the device", I just tune out, because of all of the PII on my phone, my fingerprints are among the least important.
Re: (Score:2)
Passwords rely on secrecy and need to be rotated.
Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument. All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.
Re: (Score:2)
Passwords rely on secrecy and need to be rotated.
Why do passwords need to be rotated? I have read lots of things saying that you should but never seen a compelling argument.
The longer you keep a password, the more likely it is that it has been compromised in some way. Rotating it closes the window of vulnerability.
All of the reasons for rotating passwords are more appropriately handled by changing password immediately. Rotating passwords happens regardless of an incident, which is wasteful, and only ensures that somebody locks up after the horse has left the barn.
You're assuming that you have some indication that your password is compromised. You may not, which means the barn won't get locked. Unlike the horse/barn analogy, there is often value in locking up even after the attacker has been in.
With that said, if you have a decent password and reasonably-good password security habits (e.g. don't use it on multiple systems),
Re: (Score:2)
The best solution is not to have so many passwords. Single sign-on (SSO) should be able to consolidate many of them. For the rest, most are probably fairly low-value, and needn't be rotated.
Personally I have one password for work and another for my personal e-mail account that I consider really high value and rotate annually (I also use two-factor auth on both of those). I also rotate my password manager password annually. Then I have a second tier of important passwords (bank, etc.). Those I don't rotate
Biometrics (Score:2)
Biometric data is *NOT SECRET* and never has been. The idea isn't "nobody has access to your fingerprints", it's "if you control the device, and can monitor the person attempting to access the device, you can easily detect attempts to use someone else's data"
eg: Yes, your fingerprint reader can be defeated by the person holding a photocopy of someone else's hand. If you leave them alone with the device, they can also defeat it by pulling the back cover off, so that's not particularly an issue.
The biggest problem with fingerprint security... (Score:2)
Rep. Rohrabacher accuses scientists of lying. (Score:2)
I've repeatedly [twitter.com] showed [twitter.com] Dana links [slashdot.org] to his incredibly ironic accusations of dishonest lying fraud. Here are just a few: