HTC blunders its security, stores fingerprints as readable cleartext

HTC is having trouble keeping investors happy, reporting its worst quarter in history earlier this month. If that wasn’t enough to contend with, FireEye researchers have found a way to steal fingerprint information from the Galaxy S5 and HTC One Max.

Fingerprints were stored in an image file named dbgraw.bmp in an open, readable folder. This means anyone that gains access to these files is capable of editing the fingerprints, deleting them and even forcing fake fingerprint scans to pay for items.

Malicious apps can utilise the fingerprint files by asking for them in start-up.

Both Samsung and HTC used a third-party fingerprint provider, who seems to have messed up on the security end. Samsung’s latest Galaxy S6 and S6 Edge use a new sensor, with additional security to make sure hackers cannot find the fingerprint images.

Once the hacker has gained control of the file, they are able to view every slight fingerprint change. The hacker can also utilise the phone indefinitely, as long as the user doesn’t delete the fingerprint from the smartphone.

"To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger," the team says. "So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim."

FireEye claims it is the first to spot this vulnerability, meaning Samsung and HTC will hopefully patch it before hackers snap onto the simple access.

This is extremely clumsy by Samsung, HTC and fingerprint creator. It is probably why Samsung hopped ship after 2014 to a different provider. Considering 50 per cent of phones could feature a fingerprint sensor by 2019, it is even more scary to think of the lack of security on some devices with scanners.

Source: Blackhat FireEye [PDF]