HTC failed to lock down fingerprints captured by one of its phones, leaving prints exposed to any app that knew to go looking for them, according to a report from security firm FireEye Labs. The firm found that the HTC One Max, a nearly two-year-old phone with a fingerprint reader, kept the fingerprints that it scanned in an unencrypted, world-readable file; what that translates to is a file that any app on the device can read or access to get a look at stored fingerprints — something that could be a real issue if a malicious app was aware of the flaw. HTC fixed the vulnerability after being alerted of it, FireEye says. HTC says the issue was fixed "in all regions."
The One Max had been storing fingerprint data in a specialized bitmap file, which FireEye was able to reconstruct into a proper scan of the print (shown right, cropped by FireEye for anonymity). The One Max even updated its fingerprint image every time it received a new scan, so an attacker could have grabbed multiple images. HTC says that the flaw was not present on other devices. "As always, HTC takes security issues very seriously and makes it a top priority," a spokesperson says.
FireEye's report suggests that other phones with fingerprint readers may have similar problems, though it only names the One Max. The report also notes that certain phones failed to fully secure their fingerprint sensor, potentially allowing apps to step in and read them as a scan was happening. This flaw was present on the One Max, Samsung's Galaxy S5, and others that FireEye leaves unnamed; all phones with the flaw were fixed after their manufacturer was alerted of the issue. "After a thorough review with FireEye, it was found that all Galaxy S5 users’ data remain safe," a Samsung representative said.
As security researcher and ACLU policy analyst Chris Soghoian points out, HTC is already under order from the Federal Trade Commission not to mislead consumers on security. That's because HTC was found to have failed to "take reasonable steps" in securing millions of devices, in part because it didn't provide engineers with "adequate security training" and failed to review software for security flaws. This was back in February of 2013, several months before the One Max was released, but it speaks to how such a flaw could have slipped through.
The One Max was never a particularly popular or successful phone, and it isn't known whether any of these flaws was ever used maliciously. But there's still good reason to be concerned about this vulnerability's existence. As FireEye notes in its report, you can't change your fingerprints like you can change a leaked password: "Once leaked," it writes, "they are leaked for the rest of your life."
Update August 10th, 4:25PM ET: This story has been updated to include comment from HTC.
Update August 11th, 8:05AM ET: This story has been updated to include comment from Samsung.