As fingerprint readers start becoming more common on mobile devices many questions can be asked regarding the way these devices store fingerprints, and whether security of such uniquely identifiable information can ever really be guaranteed. A new report from security firm FireEye Labs shows that there’s much to be done in this field as it points out that the HTC One Max failed at securely stored users’ fingerprints.
HTC One Max is nearly two years old and it features a fingerprint sensor, FireEye Labs found that the device kept scanned fingerprints in an unencrypted, world-readable file which means that any app could get access and read those fingerprints if it knew where to look for them.
Users could have been at risk of their biometric information being stolen had they installed a malicious app that knew where to look for those fingerprints and then upload them to a server without users’ knowledge.
The device was storing fingerprint data in a bitmap file using which FireEye was able to reconstruct an image of the fingerprint, attackers could have been able to steal multiple images since the One Max updated the fingerprint imagine every time it got a new scan.
No harm appears to have been done though as FireEye points out that HTC was quick to patch the exploit when it was told about it. The report suggests that other devices with fingerprint sensors could have similar problems though it only names HTC One Max in the report.