Warning about fingerprints as passwords
Ever since Apple introduced TouchID for iPhones, more and more smartphones feature fingerprint scanners. And that has some security researchers worried.
“If you leak a password, you can just change it; if you leak a fingerprint, it’s lost for your whole life,” FireEye researcher Yulong Zhang said at a presentation at the Black Hat USA conference in Las Vegas last week.
Zhang was part of a team that revealed that several Android smartphones from makers including Samsung and HTC featured vulnerabilities that could allow bad guys to steal users’ fingerprints. HTC’s One Max device, for instance, saved fingerprint images without encryption, they said. And the images could be read by any other app on the phone, potentially leaving them exposed if the user had installed another program with a security vulnerability, according to the researchers.
Both the HTC One Max and Samsung Galaxy S5 also left users’ fingerprints vulnerable, the researchers said, by not isolating the fingerprint censor tech from the rest of the phone’s operations. The phone makers have provided patches for these issues, according to a report from the researchers.
While fingerprint scanners have become a popular way to avoid using a password or PIN, especially on mobile devices, the FireEye research highlights some of the potential pitfalls of the tech: As a biometric marker, fingerprints are impossible to change.
They’re also public. You leave fingerprints on, well, almost everything you touch. And researchers have even been able to spoof fingerprints based on public photos — all of which makes fingerprints a pretty hard sell as the future of authentication to some experts. If someone else can make a copy of your prints, they stop being an effective security mechanism.
And there’s a very real risk they might be compromised. Just ask the Office of Personnel Management: More than a million fingerprints were breached as part of cyberattacks against the agency disclosed this year, in what experts consider a significant intelligence failure.
If the research has you on edge about the security of your own fingerprints with your smartphone, consider this: Similar general security concerns have been raised about the fingerprint scanners used in other devices, like laptops, or by set-ups at motor vehicle departments and airports, researchers say.