Hole in Android Biometric Security Found, and HYPR Fixed

The Black Hat conference in Las Vegas just wrapped, and the attendees as usual showed off dozens of huge and scary vulnerabilities in many systems (including several IoT connectivity platforms). One particularly terrifying hack revealed was that crackers could use Android phones to steal users’ fingerprints.

Luckily, in addition to showing off the vulnerability, the researchers also unveiled a repair.

HYPR Corp. identified the increasing availability of fingerprint scanners on mobile devices as a risk, and to secure these biometric markers on mobile devices, the company has released a biometric tokenization platform that will augment these systems with strong cryptographic security.

“Biometric authentication provides a much-needed solution to the problem of insecure passwords, but it is not a panacea. As we have seen, when executed poorly, biometric authentication can put sensitive data at risk,” said George Avetisov, CEO, HYPR. “That is why enterprises must ensure they have implemented a robust, multifaceted security solution that ensures biometric signatures and user data is stored safely and isn't transmitted across the Internet. This is where biometric tokenization comes into play.”

Security concerns identified by HYPR, and findings from the research revealed at Black Hat, include: that by 2019, more than half of all smartphones will include a fingerprint sensor; most device manufacturers fail to use available protection to safeguard biometric data in the Android OS; hackers have found a means to steal fingerprint data thanks to fingerprints being stored as an image file in an open, readable, folder.

To address these problems, HYPR advised that users leverage biometric tokenization to enable the safe transmission of a fingerprint image or template to the cloud using trusted public key cryptography; fingerprints should be stored as a mathematical representation in a trusted environment separate from the device OS; and secure processors should be deployed that are designed for the storage of sensitive data.

Register now for the IoT Evolution Expo to learn more about how to secure data in the IoT. It will be next week, August 17 to 20 at Caesars Palace in Las Vegas.