HTC One Max fingerprint sensor data left unsecured for apps to see
A report from FireEye Labs (a security firm) reveals that some smartphones with fingerprint sensors aren’t as secure as we’d like them to be. The one device named specifically was the HTC One Max which was supposed to store fingerprint data in a secure enclave that no one could get to. Turns out, that wasn’t the case and any app could have potentially gained access to the fingerprint data and even recreated a bitmap image of the fingerprints stored. Thankfully, HTC fixed the gaping hole “in all regions” before the report went public.
FireEye shared images they managed to gain access to inside the HTC One Max, and cropped them to protect the identity of the owners. What you see to the left is just a small portion of someone’s fingerprint. Data obtained through the One Max’s supposedly ‘secure’ enclave. If there’s one small comfort to be taken from this, it’s that the HTC One Max isn’t the most popular phone around, and by now, it’s also relatively old. What’s more, HTC told The Verge that the flaw was only present in the HTC One Max, and doesn’t effect any of its other phones or devices.
While the One Max is the only device specifically named in the vulnerability report, the company does suggest devices from other manufacturers suffer(ed) with the same issue. What’s more, another issue present in a number of devices was a vulnerability which could potentially allow any app to interrupt the fingerprint scanning process as a user was using the sensor. If taken advantage of, this would see software with the ability to take fingerprint data as it’s being read, in real-time.
All devices mentioned (including the Galaxy S5) and others hinted at, have all be locked down since the vulnerability was discovered. When it comes to fingerprint data, we like to think that the information is being treated with paramount focus. Once someone gets your fingerprint data, there’s not a lot you can do about it. You can’t change it like a PIN, password or pattern.