SoylentNews is people
SoylentNews
Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max.
The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder.
"Any unprivileged processes or apps can steal user’s fingerprints by reading this file," the team says, adding that the images can be made into clear prints by adding some padding.
It is one of four vulnerability scenarios in which biometric data normally secure in an Android phone's TrustedZone can be pilfered.
One such scenario shows how attackers can have money transfers authenticated by throwing a fake lock screen prompting a victim to scan their fingerprints to unlock a device.
Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data.
(Score: 0) by Anonymous Coward on Thursday August 13 2015, @04:39PM
For the less experienced hacker, they can also be recovered from the screen and a variety of other surfaces.
This argument bothers me. It's like "anybody can follow you on the street, what do you care if there are cameras everywhere." This overlooks there is an opportunity cost for actions.
Yes, if somebody stalked you individually they could trivially get your fingerprints. But that costs a lot of time and money. On the other hand, one virus automatically deployed to phones, even with a .1% success rate, would find tens of thousands of hits. All of a sudden the cost of doing something goes down and the chances of being adversely impacted go up dramatically.
By analogy, anybody with your phone number can call you. So I'm sure you don't mind the existence of robocallers, and would be against any attempt to restrict them...