Smartphone fingerprint security is 'flawed'

13 August 2015   By Justin Schamotta

CURRENT smartphone fingerprint recognition technology allows hackers to collect fingerprints and hijack fingerprint-protected transactions, say researchers.

identity theft
Credit: Who is Danny/

Computer scientists from the security company FireEye have identified major flaws in how the technology is implemented - ranging from poor storage of fingerprint data through to vulnerable fingerprint sensors.

Easy to find

For example, the HTC One Max was shown to store fingerprint data in an easily accessible image file.

"Any unprivileged processes or apps can steal users' fingerprints by reading this file," said the researchers, who presented their findings [pdf] at the Black Hat security conference in Las Vegas.

"To make the situation even worse, each time the fingerprint sensor is used ... [it] will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim."

Most smartphones store the owners' fingerprints in areas of the phone protected by built-in gatekeepers such as TrustZone or Secure Enclave.

However, as the report's authors point out, even these have "known vulnerabilities" that attackers can use "to peek into the secret world".

Sensor vulnerabilities

Even if the storage of fingerprints is made safe, attackers can still intercept images by hijacking the fingerprint sensor itself.

This is because some manufacturers - HTC and Samsung among them - don't make full use of the security features built into the phones' microprocessors.

Any "normal world" activity or process requiring the fingerprint sensor should be routed through these security features, but the researchers found that many manufacturers "failed to lock down the sensor" in this way.

As a result, they say, it's possible for an attacker to "directly read the fingerprint sensor", using malware to intercept each fresh print before it can be stored safely.

They go on to say that this could mean that attackers could "remotely harvest everyone's fingerprints [on] a large scale without being noticed".

Creating fakes

If an attacker doesn't have someone's fingerprint, they are still able to manipulate the technology.

For example, a malicious program could create a fake lock screen to mask a transaction. When the user scans their fingerprint to unlock the screen, they actually authorise a payment instead.

This type of "confused authorisation attack" is possible because many fingerprint security systems don't require proof of the context in which the scan was made, say the FireEye researchers.

Biometric bloom

An increasing number of smartphones use fingerprint recognition technology - it's estimated that half of all smartphones will have a fingerprint sensor by 2019.

The technology is undeniably convenient - but as the researchers point out: "Fingerprints last for a life - once leaked, they are leaked for the rest of your life."

Online impostors

Our fingerprints are just the latest piece of personal information that criminals are stealing in order to impersonate us.

The ever growing list includes: names, addresses, account details, photos, PINs, and mobile numbers.

Used independently, this information is of limited value. But security experts warn that an identity can be created with just three pieces of information, making it remarkably easy for criminals to steal our lives and apply for credit cards, take out loans or open bank accounts with them.

This type of fraud is rapidly becoming more widespread - the number of victims of ID fraud increased by 31% to 32,058 in the first three months of 2015.

All in one place

Smartphones are particularly attractive to criminals, as we tend to store huge amounts of personal information on them.

More than 60% of us now carry one, but few take appropriate security measures to keep the personal information stored on them safe.

For example, a survey by credit reference agency Equifax found that one in five people stored PINs, passwords, and bank account or credit card details on their smartphones.

A third of people routinely fail to log out of social media or banking websites. Another 42% don't clear their browser histories, and 45% don't bother protecting their smartphones with passwords.

The police have spent years lobbying mobile phone manufacturers to make setting a secure PIN or password mandatory for smartphone users. This is however, unlikely to happen now that the biometrics roll-out is in full swing.

Want the best deal on a new handset?

independent comparison

We are independent of all of the products and services we compare.

fair comparison

We order our comparison tables by price or feature and never by referral revenue.

charity donations

We donate at least 5% of our profits to charity, and we aim to be climate positive.

Get insider tips and the latest offers in our newsletter