Android Devices Found Storing User Fingerprints as Image Files

Researchers from FireEye have discovered a method of stealing fingerprints from at least two Android devices. The team found that the Samsung Galaxy S5 and the HTC One Max stores fingerprint data, used to unlock the devices, as image files (dbgraw.bmp) within an open “world readable” folder on the phones.

“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” the FireEye team said in its report.

And it gets worse: this is just one of four vulnerabilities found that allows biometric data to be accessed (and therefore stolen) from and Android phone’s TrustedZone. One such scenario, reported by FireEye, involves a fake lock screen designed to trick users into providing their fingerprint to scammers.

The four FireEye researchers responsible for the findings presented their paper, Fingerprints On Mobile Devices: Abusing and Leaking [PDF], at the Black Hat 2015 security conference in Las Vegas last week.

“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team said. “So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”

Think you’re safe because your Android device is rooted? Nope. You’re at the same risk of having your biometric data stolen as anyone else, since the kernel access permissions are only restricted to root privilege, rather than system privilege.

Forecasters predict that 50% of smartphones will require fingerprint verification by 2019.

Thank you The Register for providing us with this information.