Access to The Information of The Fingerprint Sensor Is Too Easy, According to FireEye Labs

So important is the quality of hardware and the process involved in terms of software when we talk about sensors, and more when it relates to the Security. This second part is that, as they are running from FireEye Labs, failure in the registration of fingerprints in the HTC One Max and other terminals to meet this information too accessible.

According to FireEye team in its work, the information generated after scan fingerprint is stored in an image decrypt file and easily readable. The path of the file is /data/dbgraw.bmp with 0666 permission (accessible to everyone), so any app or user could access both local and remote.

Is thus established a paradox in terms only of the fingerprint, that the advantage of being specific and unchanging let obviously no possibility of modification as is the case with a password in the event that you suspect that it has been ascertained.

Without being the only terminal that presents problems, the case of HTC One Max is the example that illustrate this failure of security, and if in addition the fingerprint sensor system is updated in each scanning, i.e., puts at the disposal of the possible intruder a bitmap updated each time.

All are to improve

In this study differ two systems processing of data from the fingerprint sensor: Basic, which only protects access to this being accessible by root, and another in which there is an “zone of confidence” (Trust Zone) that media access to the sensor information and offers greater protection.

However, the fact that this second safest mode is incorporated nor is an absolute barrier as for unauthorized access, largely because the companies themselves do not implement well the system by not forcing the access to the information from the sensor by apps or users to pass through this barrier.

As we said, the HTC One Max is part of the first group without being the only one, is also the Samsung Galaxy S5 and many others that the researchers have not specified, although they point out that after being warned with the conclusions of this same work all manufacturers they have repaired the fault (they point out, however, that have not received response from HTC and Samsung).

Somewhat more common than it seems

In fact, the team of FireEye will Apart from traces of smartphones sensors and they refer in respect of this “ease” of access to other systems in appearance more complex and common access to banks, immigration offices, and other cases in which the fingerprint identification is used.

This study has been presented at the Conference on security Black Hat in Las Vegas. In the same advise how to proceed both users (recommending the use of trusted apps) and manufacturers, especially in view of payment such as Android Pay, Apple Pay or Samsung Pay systems based on fingerprint.