Company left fingerprint data unencrypted

Company left fingerprint data unencrypted
© Getty Images

Smartphone maker HTC has been storing its users’ fingerprints in an unencrypted file that any hacker could easily access.

The discovery, presented in a recent paper from security firm FireEye, has raised new concerns about the rapid transition to using fingerprints as a primary form of identification.


The flaw affects the HTC One Max, an almost two-year-old device that relies on a fingerprint scanner to allow users to unlock the phone or authorize various payments or money transactions.

“While some vendors claimed that they store users’ fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world-readable place by mistake,” said the report. “Any unprivileged processes or apps can steal users’ fingerprints by reading this file.”

Essentially, hackers could place an app on your phone that scooped up the image of your fingerprint each time it’s used, creating a clearer picture in the process.

Devices are increasingly reliant on fingerprint scanners. Biometric data is seen as a more secure method of identification because of its uniqueness. Additionally, the traditional password — while still ubiquitous — is considered obsolete and fatally flawed.

The newer iPhones all have fingerprint scanners, as do later models of the top-selling Samsung Galaxy series.

However, these early attempts to transition to fingerprint authentication have been shaky. Researchers have shown that fingerprints can be lifted straight from smartphone screens.

The recent FireEye research exposes yet another set of ways that fingerprints are not being secured. The findings are particularly concerning since fingerprints — unlike passwords — can never be changed and are often tied to important citizen and immigration records.

“Victims can easily replace the stolen passwords with a new one. But fingerprints last for a life — once leaked, they are leaked for the rest of your life,” the researchers said.

The report said similar flaws were discovered in other phones, such as the Samsung Galaxy S5, but did not elaborate.

All vendors had patched up their deficiencies before the research was released.