11 Aug Are fingerprints the new passwords? Security experts sure hope not.
Ever since Apple introduced TouchID for iPhones, more and more smartphones feature fingerprint scanners. And that has some security researchers worried.
“If you leak a password, you can just change it; if you leak a fingerprint, it’s lost for your whole life,” FireEye researcher Yulong Zhang said at a presentation at the Black Hat USA conference in Las Vegas last week.
Zhang was part of a team that revealed that several Android smartphones from makers including Samsung and HTC featured vulnerabilities that could allow bad guys to steal users’ fingerprints. HTC’s One Max device, for instance, saved fingerprint images without encryption. they said. And the images could be read by any other app on the phone, potentially leaving them exposed if the user had installed another program with a security vulnerability, according to the researchers.
Both the HTC One Max and Samsung Galaxy S5 also left users’ fingerprints vulnerable, the researchers said, by not isolating the fingerprint censor tech from the rest of the phone’s operations. The phone makers have provided patches for these issues, according to a report from the researchers.
While fingerprint scanners have become a popular way to avoid using a password or PIN, especially on mobile devices, the FireEye research highlights some of the potential pitfalls of the tech: As a biometric marker, fingerprints are impossible to change.