Thursday, August 13, 2015

Fingerprints only ever part of the solution, whether Android or Apple

Fingerprint scanning on smartphones came under the spotlight at the Black Hat conference this year, with researchers highlighting vulnerabilities on certain Android devices - which places a question mark over the real security value of such biometric measures. FireEye researchers discovered that HTC smartphones were storing data from fingerprint scans, necessary to enable biometric security on the devices, as unencrypted .bmp image files where any attacker could easily find them. The researchers point out, for example, that the HTC One Max X device stored the fingerprint as /data/dbgraw.bmp having a 0666 permission setting which equates to being 'world readable' and so any unprivileged process or app could read it at will. If that were not bad enough, every time the fingerprint sensor was used to unlock the handset or access a protected app then that bitmap file was refreshed. As a consequence, an attacker would be able to collect every swipe the user made and so the chances of getting a good image that could be used for nefarious purposes was very high indeed. HTC says it was just the HTC One Max that was vulnerable, and that vulnerability has now been fixed. However, the FireEye researchers insist that the fingerprint sensors used by vendors including HTC and Samsung are vulnerable courtesy of it being exposed to attackers. "Although the ARM architecture enables isolating critical peripherals from being accessed outside the TrustZone" they wrote "most vendors fail to utilise this feature to protect fingerprint sensors." Specific handsets said to be at risk included the HTC One Max and Samsung Galaxy S5, and both HTC and Samsung along with other as yet unidentified vendors are said to have rolled out fixes for this issue as well. However, with support for fingerprint scanners being incorporated into Android, and services such as Android Pay and Apple Pay utilising fingerprints to secure payments, the biometric sensors along with the data they collect are sure to come under increasing scrutiny from cyber-criminals. So, the question is: are fingerprints up to scratch in the world of mobile security?