HTC stored users’ fingerprints as unencrypted images

Anyone using a fingerprint scanner on their smartphone has a certain level of trust in the handset’s manufacturer to keep their biometrics safe.

Unfortunately, that trust seems to have been broken by popular Taiwanese phone maker HTC.

It’s emerged that the manufacturer failed to lock down fingerprints captured by its two-year-old HTC One Max.

According to a report by security firm FireEye Labs (via The Guardian), the HTC One Max kept scanned fingerprints in an unencrypted, world-readable file format.

What’s more, the fingerprints were stored as high-resolution bitmap images, marking this as a serious security failure.

“While some vendors claimed that they store user’s fingerprints encrypted in a system partition, they put users’ fingerprints on plaintext and in a world readable place by mistake,” the researchers write.

FireEye continues: “On the HTC One Max X the fingerprint is saved as /data/dbgraw.bmp with a 0666 permission setting (world readable). Any unprivileged processes or apps can steal user’s fingerprints by reading this file.”

“To make the situation even worse, each time the fingerprint sensor is used… [it] will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim,” the report adds.

FireEye was able to use the bitmap files to reconstruct proper scans of the fingerprints, which could be used to bypass security systems.

Biometrics are becoming an increasingly prevalent method of authentication, so a third-party obtaining your fingerprints could be bad news for your privacy.

What’s more, FireEye claims that the HTC One Max isn’t the only phone with insufficient fingerprint storage security, although it failed to name any other devices.

“Most vendors fail to lock down the [fingerprint] sensor…without the proper lock down, an attacker from normal world can directly read the fingerprint sensor. Note that attackers can do this stealthily in the background and they can keep reading the fingerprints on every touch of the victim’s fingers,” reads the report.

Don’t forget that once a hacker has your fingerprint, the hacker has it for life. Users can’t just change it like they can with a breached password.

Related: Best Android Smartphones 2015

It should be noted that the bug has now been fixed by HTC after FireEye made the manufacturer aware of the potential risk to consumers.

HTC is going through tough times at the moment, having just posted its biggest ever quartery loss of £163 million for the three months leading up to June 2015.

As a result, the firm is now cutting staff and reducing the number of smartphones that it turns out each year.

The company’s stock is currently trading below its cash-on-hand reserves, which effectively means that investors value the company’s brand, factories, and buildings as worthless, as noted by Bloomberg.

Do you think mobile manufacturers do enough to keep our biometric data safe? And can HTC soldier on through the ongoing series of hitches? Let us know in the comments.

Check out our smartphone group test video below: