After reporting its worst quarterly results ever earlier this month, security researchers have more bad news for HTC.
Investors are not happy about the smartphone manufacturer‘s results, and now customers have a reason to be upset. Researchers at security company FireEye have revealed that they can steal fingerprint information from the Samsung Galaxy S5 and HTC One Max.
Fingerprint images stored insecurely on HTC One Max
Fingerprint scans were found to be stored in an image file named dbgraw.bmp in an unsecured folder. As a result, hackers that access these files can edit the prints, delete them, or use fake scans in order to make purchases. Hackers could also use malware which asks for the fingerprints upon start-up.
Samsung and HTC work in partnership with a third-party on the fingerprint technology, and it appears that significant security flaws are present. Although the S5 is affected, the new generation Samsung Galaxy S6 and S6 Edge feature a different sensor which prevents hackers from finding and exploiting the fingerprint images.
If a hacker accesses the image file, they can view even tiny changes to the fingerprints. Access gives the intruder indefinite use of the print, so long as the owner does not delete it from their smartphone.
Increasingly popular technology subject to serious security concerns
“To make the situation even worse, each time the fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger,” the team says. “So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.”
Researchers at FireEye believe that they are the first to discover the flaw, which means the manufacturers should have time to release a patch before hackers begin to exploit it.
It is a remarkable error by the fingerprint creator, and may explain why Samsung switched to a different provider in 2014. For HTC the story will generate more unwelcome headlines at an already difficult time for the company.
Given the fact that over half of phones could have a fingerprint sensor by 2019, such a simple flaw raises serious security concerns over the technology.