Biometric security flaws

Vulnerabilities discovered on fingerprint readers embedded in Android smartphones are attracting the attention of cybersecurity researchers.

The security of biometric identification systems is not to be recognized as truly infallible. In any case, this was demonstrated by the demonstration by the three researchers who looked at the case of fingerprint readers. They practiced their tests on several popular smartphones – and ended up making this conclusion: the implementation of the device was flawed on several levels.

This article will interest you: Biometric data security systems, for or against?

The very first observation concerns certain software. Indeed, these programs do not, from a logical point of approach, distinguish between allowing (i.e. giving access to resources) and authenticating (thus verifying the identity of a user). Practically 1, this defect of distinction could allow a malicious person to give transaction, another turn – for example, one can make his victim believe that he is unlocking his phone, when in truth he triggers an electronic payment transaction.

In addition, other vulnerabilities have been discovered on several devices, the clear fingerprint storage program is encryption-free and is built in a human-decrypted format. This is the case of the HTC One Max model even though it has since benefited from a correction, in the data folder, it is stored a file "bitmap dbgraw.bmp" with the permissions "0666", in other words, it is accessible to any program, in reading or even in writing.

In some contexts, fingerprint sensors may sometimes be exposed, despite the presence of a TrustZone, a secure and isolated space in the core and placed in a reserved memory space. In principle, the ARM architecture should prevent any critical components from having access outside this TrustZone. Unfortunately, many manufacturers do implement it. This is the case with Apple. the iPhone also cracks fingerprints directly at the reader's level through a key system shared with the TrustZone." the conclusion is that it is just as possible for a hacker to tamper with the program to detect commands and data transactions, until the fingerprint is obtained. It does not need to have root-level prerogatives.

Another flaw, is the possible implementation of a back door directly into the sensor, so that other fingerprints can be added outside the registered base. But to keep all this unnoticed in the eyes of the user, it would be necessary to hack the application that displays the amount of fingerprints memorized. This may be the "Parameters" program in French-language versions of the Android system.

In addition to the HTC One Max, several vulnerabilities have also been discovered on Samsung's Galaxy S5 and various Huawei brand models – such as the "Ascend Mate 7" which is equipped with "chipset HiSiliconKirin 925" technology. This situation is quite worrying because it is estimated that more than 50% of mobile phones will have a fingerprint scanner according to the Research study.

Now access an unlimited number of passwords: