Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max.
The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder.
"Any unprivileged processes or apps can steal user’s fingerprints by reading this file," the team says, adding that the images can be made into clear prints by adding some padding.
It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone's TrustedZone can be pilfered.
One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.
Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data.
(Score: 3, Informative) by hemocyanin on Thursday August 13 2015, @12:20AM
I wouldn't call it a conspiracy theory. The whole push for biometric authentication leaves people's privacy at risk even if perfectly implemented, because of the way the courts interpret the 5th Amendment. You can be compelled to give up what you are (photo, fingerprint, iris scan, blood -- whatever), but you can't be compelled to give up something you know (pin, password, pattern, etc,).
Pick an article, any article:
http://jonathanturley.org/2013/09/21/fingerprint-authentication-and-the-fifth-amendment/ [jonathanturley.org]
http://www.wired.com/2013/09/the-unexpected-result-of-fingerprint-authentication-that-you-cant-take-the-fifth/ [wired.com]
http://time.com/3558936/fingerprint-password-fifth-amendment/ [time.com]
Anyway, it is definitely in the Feds' interests to get people using biometric authentication. Not only does it give them a nifty way to collect biometric data from rooted devices, you don't get any of the benefits of the Bill of Rights.