Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max.
The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder.
"Any unprivileged processes or apps can steal user’s fingerprints by reading this file," the team says, adding that the images can be made into clear prints by adding some padding.
It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone's TrustedZone can be pilfered.
One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.
Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data.
(Score: 3, Informative) by bob_super on Thursday August 13 2015, @12:30AM
> It may have a reason other than enabling remote spying but it escapes me
You're not a EE...
Basic system design, really. Tie the things together and you can't use them to discriminate failures an run tests.
And a lot of cheap systems don't power down the camera rail. They just old it in reset. It's simpler/cheaper/more reliable
(Score: 2) by Bot on Thursday August 13 2015, @12:51PM
I am not an EE but I am losing faith in them. Testing a led is quite straightforward, and the circuit is simple. And anyway, if you really want to double the circuitry involved just to test a led, why not stay at the hardware level? The led is controlled by software, proof in old linux kernels who did not light up the leds while accessing the cam.
And, keeping the camera powered on at all times in a laptop may be cheap, but given the importance of battery time in those laptops it is beyond stupid.
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @01:01PM
> Testing a led is quite straightforward
dafuq? the led monitoring the circuit IS the test. Apparently it is OK to double the circuit for testing-testing purposes, and to use software for testing-testing-testing, whose unit tests are about testing-testing-testing-testing.