Researchers from FireEye Labs have unearthed multiple vulnerabilities in the fingerprint scanner implementations of several Android handsets. The group's research paper was presented at the Black Hat conference last week, and it describes several vulnerabilities, some of which had the potential to allow for remote background collection of fingerprints. We say "had," because it should be noted that all of the companies mentioned have patched the issues presented in the paper. Other, non-manufacturer-specific vulnerabilities could still be exploited.
Android's fingerprint authentication framework originally provided only weak security. Fingerprint data was only as secure as the kernel iself—an attacker who manages to gain root access to the device can read fingerprints. Companies are starting to use ARM's TrustZone functionality, which provides a secure environment for sensitive code, data, and devices like fingerprint scanners to operate in. However, many handsets out there still don't use these features, and even when they do, security is not guaranteed, according to the researchers.
The first vulnerability disclosed in the paper is called the "Confused Authorization Attack." Apparently, fingerprint frameworks often fail to verify the identity of an app that's making a fingerprint read request, only whether it can. This means a malicious app with fingerprint scanner access can disguise itself as a legitimate one. The researchers provide an example app that fakes a lock screen in order to trick a victim into providing their fingerprint authentication, which the malware then uses to authorize a banking transaction in the background. The researchers say that the FIDO Alliance is developing a context-specific standard for secure mobile authentication which prevents this attack, but the paper notes that as of June 2015, no major vendor has implemented such a defense.
Then there are issues with storing the fingerprints themselves. You'd think device makers would have stored fingerprints under key, lock, chain, dog, and guard—and you'd be wrong. For example, the researchers found that HTC's One Max stored unencrypted fingerprint images in a world-readable directory (in /data/dbgraw.bmp, more precisely). Not only is that bad in itself, but the file in question gets overwritten with each new finger swipe, meaning all a malicious app has to do is sit in the background and read the file periodically, possibly collecting several different fingerprints.
The story doesn't end there, though. The researchers note that even if the fingerprint data is secured via TrustZone, the sensor itself might not be. Phone makers can isolate certain peripherals from apps outside of TrustZone, but several companies didn't take that step. The researchers call out the HTC One Max and the Samsung Galaxy S5 as phones that allowed non-privileged apps to read their fingerprint sensors. In other cases, the researchers found that the fingerprint sensor was only guarded with the "system" privilege level, a safeguard for which privilege-escalation exploits are easier to find.
The final vulnerability described may be trickier to use in practice, but is interesting nevertheless. An attacker that gains access to the Settings app can modify the UI, changing the number of registered fingerprints. The attacker can then embed a hidden fingerprint of their own in the device, creating an easily acessible backdoor. The Settings app is claimed to be more difficult to attack due to the fact that it must be signed with the same private key as other system-level apps (usually a key held by the phone vendor). The researchers note that an attacker could get around this obstacle by extracting the phone's ROM, re-signing all system-level apps with their own private key, and re-flashing the phone. Another workaround would be to gain root privileges on the device and disable signature checking.