Android devices criticised for storing unencrypted fingerprint data

Fingerprint scanning as an authorisation tool is open to cyber attack, says FireEye

Android devices including the HTC One Max and the Samsung S5 have come under fire after a team of FireEye researchers unveiled evidence that fingerprint data used to provide access to smartphones is being stored in an unencrypted image format.

The research, released at the 2015 Black Hat security conference in Las Vegas, outlined how sensitive fingerprint data, stored in a "world readable" format, is open to exploitation by hackers.

The vulnerabilities, which have now been patched in accordance with the findings of the study, are increasingly relevant as biometric fingerprint authorisation continues to grow in popularity.

The feature is now included in a range of handsets including the iPhone and Samsung S-range and, with Apple Pay being introduced into the market, competitors have scrambled to include the option.

"Mobile payment is going to be a primary mover for fingerprint sensors," said the FireEye team. "In traditional password-based authorisation systems, victims can easily replace the stolen passwords with a new one. But fingerprints last for a lifetime. Once leaked, they are leaked for the rest of your life," the report states.

The study, conducted by Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei of FireEye Labs, highlighted a number of common "design pitfalls" of current fingerprint data retention including "confused authorisation attacks" and insecure data storage.

"While some vendors claimed that they store users' fingerprints encrypted in a system partition, they put users' fingerprints in plain text and in a world readable place by mistake," the authors said.

"On the HTC One Max the fingerprint is saved as /data/dbgraw.bmp with a 0666 permission setting (world readable). Any unprivileged processes or apps can steal users' fingerprints by reading this file."

The research found that "confused authorisation attacks" have long been overlooked. This technique is used by a hacker to mislead a victim into authorising a malicious transaction by disguising it as an authentication or other transaction.

The report cites an example of an attacker faking a mobile lock screen to fool the victim into thinking that they are swiping to unlock a device when in reality they are authorising a money transfer.

However, it is how firms store fingerprint data that FireEye said is the major cause of concern.

"Each time the fingerprint sensor is used for [an] authorisation operation, the authorisation framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim," the firm said.

Vendors using the secure parts of the smartphone's processor to keep data secret, including using Trustwave or Secure Enclave, will still encounter known vulnerabilities, according to the FireEye researchers.

The study recommends that mobile device vendors improve the "security design of the fingerprint authorisation framework".

"We suggest normal users choose mobile device vendors with timely patching/upgrading to the latest version. Also, it is always a good practice to install popular apps from reliable sources," it said.

The findings of the FireEye study are the most recent setback for Android systems. Recently, the Stagefright bug emerged that affected up to 95 percent of devices after the discovery of a vulnerability affecting MMS.

"Many Android handset manufactures don't have the best reputation for making the latest and greatest security patches available, quickly or ever. So, odds are, there are going to be a lot of vulnerable Android phones for quite some time," said Jeremiah Grossman, founder and CTO of WhiteHat Security, at the time.

V3 contacted HTC and Samsung for comment but neither had replied at the time of publication.