Petronella Blog Archive

Visit our New Blog

Stealing Fingerprints from HTC Phones

Blog Post

Biometrics are generally thought to be very secure, which is why many phones now let you use your fingerprints to authorize things from unlocking phones to making purchases.   Researchers have found, however, that it's pretty easy to get that information from the HTC One Max.

The problem is that the HTC One Max stores fingerprint images as a bitmap: dbgraw.bmp, in a folder with completely open "world readable" permissions.  This means any app or process is able to see the fingerprint file.  One way a hacker could use this is to create a fake lock screen that the user will open using their fingerprint.  Instead of unlocking the phone though, it would really be a way to make them unwittingly authorize a transfer of money.

A thief could also use this vulnerability to hack a phone and upload their fingerprint as the authorized fingerprint, although that's a much less likely scenario, given that they would have to have physical access to the phone, which carries a greater risk than remote hacking.

The best thing to do to avoid this is to make sure you apply updates to your phone as soon as possible, as they will surely want to rectify this security hazard as soon as they can.  You could also switch to a customer operating system like CynaogenMod.