Recently mobile manufacturers (Samsung and HTC) applied a patch for the vulnerabilities that could allow attackers to steal the user’s fingerprint. The researchers who found the flaw have also said that, several other phones from different manufacturers might also be susceptible for fingerprint theft attacks.
According to FireEye, an established security firm, the most serious flaws were found on HTC’s One Max handset. This device saves fingerprints as an unencrypted file so that any unprivileged process or app could obtain the fingerprints of users by reading the file. The attackers could gain advantage of the weaknesses by tricking the users to install a malicious app or by exploiting the vulnerabilities that regularly crop up in Android.
Attackers harvest fingerprints remotely
If you don’t have a proper lock-down, even the attacker from the normal world can read your fingerprint sensor directly. The attackers generally do this in the background and they keep reading the fingerprint of the user on every touch. This indicates that the attackers with remote code execution exploits can harvest the user’s fingerprints remotely in a large scale. As soon as the sensor is active, the malware starts drawing the fingerprints continuously in the background.
How dangerous is the fingerprint theft?
In some phones, the sensor is integrated into the home button which makes it easy to obtain the prints when someone touches the home button. The fingerprint theft gives rise to a lot of unsettling possibilities than just bypassing the fingerprint lock. The attackers can not only bypass the lock but can also compromise victims’ credit cards and also collect people’s biometric data. It’s being said that Samsung, HTC and several other manufacturers have applied a patch for this issue.
How to protect sensor operations?
The researchers at FireEye say that, most of the manufacturers fail to use a feature to protect sensor operations of the device. According to the firm, a separate flaw found on both HTC one max and Samsung Galaxy S5 devices put user’s fingerprints at risk by exposing the sensor to the attackers. So, the general agreement between the security professionals is that the sensor should evoke TrustZone protections provided by ARM chips. TrustZone is nothing but a set of security extensions that allow sensitive operations to be isolated from the operating system.
ency Fuel Services l Video baby monitor