Troubled technology giant HTC has been found to be storing the fingerprints of its smartphone users in an unencrypted, easily-accessible format, giving any software on the device an easy means to steal the data.
While fingerprint scanning technology isn't new, it has enjoyed something of a resurgence of late thanks to interest from consumers in keeping their smartphones and other portable devices secure without having to go through the trouble of entering a PIN or unlock code each time they want to use them. As a result, it's not unusual to find a fingerprint scanner on top-end mobile devices, but according to a quartet of security researchers their implementation leaves a lot to be desired.
In a presentation
(PDF warning) presented at the Black Hat conference in Las Vegas and spotted by the Register
, mobile developers are failing to make use of security systems built into the platforms and devices they create to protect their users' biometric data adequately. The worst of these offenders was HTC, whose HTC One Max smartphone was found to store the full fingerprint data in a non-encrypted format in a folder to which all software on the handset had full read access - making it trivial to steal.
The researchers, Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei, claim that it is trivial to create a malicious application which sits in the background and steals the data - including capturing every single fingerprint swiped on the device, regardless of whether or not the resulting unlock operating was successful.
HTC may be the worst offender, but it's not alone: similar flaws were discovered on rival handsets, while the majority filed to use the TrustZone feature of the ARM system-on-chip processor which powered their devices to protect the fingerprint scanner peripheral itself from spoofing and data collection attacks.
HTC has not responded to the group's report, though the researchers have indicated that patches for fingerprint-related flaws have been created and released by all vendors mentioned in the report.