FB pixel

Researchers point out flaws in some Android phones’ fingerprint security

 

Security research firm FireEye have developed a new spoofing method for acquiring fingerprints from Android smartphone models embedded with biometric sensors such as the Samsung Galaxy S5 and the HTC One Max, according to a report by The Register.

The spoofing method is one of four attacks the FireEye researchers recently discovered that exploit major security flaws in Android smartphones with fingerprint sensors which they say make them more vulnerable than Apple’s Touch ID system.

FireEye’s researchers — which comprises of Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei — discovered a flaw in HTC One Max in which fingerprint data is stored as an image file (dbgraw.bmp) in a open “world readable” folder.

“Any unprivileged processes or apps can steal user’s fingerprints by reading this file,” said the team, adding that the images can be made into clear prints by adding some padding.

In another spoofing scenario, FireEye demonstrates how attackers can have third-party money transfers authenticated by displaying a fake lock screen prompting unsuspecting victims to scan their fingerprints to unlock the device.

The researchers presented their paper,“Fingerprints On Mobile Devices: Abusing and Leaking”, at Black Hat in Las Vegas last week.

They explained how the majority of Android smartphone manufacturers fail to use Android’s Trust Zone protection to protect biometric data.

“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team said. “So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”

The fingerprint sensors embedded in the smartphones are only restricted to root privilege, and not system, which makes it easier for attackers to find a workaround.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

New tools, Authenticate presentations coax hesitant businesses to adopt passkeys

The FIDO Alliance has launched a pair of tools at its Authenticate 2024 event online and in Carlsbad, California, Passkey…

 

How to get passkeys working for a billion Microsoft users and beyond

The FIDO Alliance has kicked off the Authenticate 2024 conference with a campaign urging people to “free yourself with passkeys,”…

 

French regulator releases technical reference on age verification for porn

France’s Regulatory Authority for Audiovisual and Digital Communication, Arcom, has published its Technical Reference on Age Verification for the Protection…

 

EU’s EES delay welcomed as an opportunity to test biometric efficiency

The implementation of the European Union’s biometric Entry/Exit System (EES), designed to tighten border security and streamline the tracking of…

 

De La Rue exits authentication business with $393M acquisition by Crane NXT

Crane NXT, a micro-optics and security systems manufacturer based in the United States, has announced the acquisition of De La…

 

Honor to introduce Omnivision ultrasonic biometrics in new smartphone: leaker

Honor is expected to announce the Magic 7 smartphone series later this month, and reliable leaker Digital Chat Station says…

Comments

10 Replies to “Researchers point out flaws in some Android phones’ fingerprint security”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events