This site may earn chapter commissions from the links on this page. Terms of use.

For the past few years, both Apple and the diverse Android manufacturers have been pushing the idea of fingerprint readers, typically on the dubious grounds that biometric security is a better choice compared to a good passcode. New research from the security firm FireEye seems to blow that claim broad open up, however. Co-ordinate to FireEye, multiple Android manufacturers protect your fingerprint and so poorly, it tin be read by plugging the phone into a computer and knowing which folder to access.

This is deeply problematic, because that fingerprint readers are oftentimes used as the basis of payment authorization also, but the FireEye study shines a disquisitional heart on just how lightly nearly Android OEMs take device security. In theory, the fingerprints stored on an Android device are at least every bit secure as the kernel, with ARM'due south TrustZone applied science offering an additional layer of isolation and protection. In the real earth, still, OEMs aren't using this capability. FireEye'due south report states:

1 example is the HTC I Max — the fingerprint is saved as /data/dbgraw.bmp with 0666 world permission (world readable). Any unprivileged processes or apps can steal the user's fingerprints past reading this file. Other vendors shop fingerprints in TrustZone or Secure Enclave, merely there are still known vulnerabilities for attackers to leverage… To make the situation even worse, each time the [HTC] fingerprint sensor is used for auth performance, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. And then the attacker can sit in the groundwork and collect the fingerprint image of every swipe of the victim.

HTC-One-Max

HTC takes the cake for absolute worst exposure of disquisitional security issues, but vendors like Samsung aren't exactly doing a blindside-up task, either: FireEye likewise reports that the fingerprint sensor is itself vulnerable to attacks. ARM's TrustZone offers the ability to isolate peripherals, merely no vendors currently take advantage of it. The image below shows how the system should piece of work (at pinnacle) with TrustZone functioning properly, versus how information technology's actually programmed in today's real-world devices. Because normal applications can query the sensor, they can also exist used to take background readings every fourth dimension someone touches information technology, record their fingerprint data, and relay it to third parties or hacking outfits.

TrustZone

ARM TrustZone

While only HTC was found to exist blatantly storing user information where literally anyone could reach it, the fact that the fingerprint sensor could be accessed or hacked via already-known exploits in the Android kernel means that the biometric authorization schemes in the vast majority of phones aren't secure — and that'southward earlier we consider Android's terrible security model that leaves users with no means of installing or updating their devices with critical security fixes if Samsung or other manufacturers don't push them out in the first place. Several OEMs have recently pledged to change these practices, but it's also soon to judge if they actually will.

Fingerprint sensors aren't secure, and neither is much else

If you're depending solely on a fingerprint scanner to secure your device, y'all really ought to rethink that strategy, even if y'all don't take an Android phone. Courts have ruled that while the police tin can't forcefulness yous to disclose a passcode, they tin can fingerprint y'all without consent — and that means your device tin exist unlocked whether you concur to information technology or not. Ideally, users could use both a security code and fingerprint to keep a device locked, but I'm non sure which modern smartphones, if any, offer this option.

What's even more troubling, however, is the condescending way the Android OEMs have approached the topic. Information technology'due south not hard to see why Samsung's security model is flawed and HTC's is completely broken — it costs zippo to claim to care nearly user security online, while actually implementing security procedures is a time-consuming and expensive process. Nigh people don't buy phones based on how secure they are, and fifty-fifty the scattering of buyers who prioritize the characteristic aren't ordinarily equipped to objectively evaluate whether or not a product lives upward to its expectations.

Over the past few months, I've repeatedly referred to the hypocritical way that corporations and the government tell users to respect privacy, while simultaneously encouraging users not to care. It would exist impossible to tell if HTC suffered whatever negative impacts from this news, given the terrible shape that the visitor is in right now, but manufacturers like Samsung accept suffered no serious problems. Samsung has lied about the encryption on its televisions, left an estimated 600 million of its customers vulnerable to hacking thank you to a broken keyboard application, and smashed Microsoft's Windows security model by shipping systems with Windows Update disabled. Why? Considering it couldn't be bothered to configure the update policy on one specific component.

Everything Samsung has done this year pales in comparison to Lenovo, whose Superfish debacle was i of the worst security flaws since Sony thought installing rootkits was a good idea. I didn't remember we'd see Lenovo feat topped anytime soon — until Chrysler managed to ship a jeep so fundamentally broken, it could be used to cripple vehicles and potentially kill people.

Given the country of the software currently used to connect our devices, don't depend on any single metric, whether it's a passcode or a fingerprint device. Problems like this will persist until companies learn that effective security is critical to establishing trust in the long run, even if it isn't a sexy point you can drop on a marketing slide.