[fprint] I wonder whether disclosure of a fingerprint is a vulnerability or not.

Thu May 9 01:36:10 UTC 2019

Hi,

I wonder whether disclosure of a fingerprint is a vulnerability or not.

Recently, I posted an issue about 'disclosure of a fingerprint' on several
community, such as upstream, various Linux distributions, and oss-security.
- @Upstream: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16
- @Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1822590
- @Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1693357
- @Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749
- @openSUSE: https://build.opensuse.org/request/show/701312
- @oss-security: https://www.openwall.com/lists/oss-security/2019/04/23/3

Some said that disclosure of a fingerprint is not a vulnerability.
Even they considered that a fingerprint is just akin to username, rather
than password.

Recently, fingerprints are very popularly used these days in mobile banking
or healthcare industry, as an authentication schemes.
Leakage of fingerprints is regard to severe issue and thus commercial
vendors that use fingerprints are now moving to a more secured design.
Moreover, I found several issues and efforts to deal with information
leakage of fingerprints as follows.

1. In Microsoft's Windows Hello, fingerprint data is kept locally on user's
PC in an encrypted way.
(see
https://support.microsoft.com/en-au/help/4468253/windows-hello-and-privacy-microsoft-privacy
)

2. Lenovo's Fingerprint Manager Pro also stores user's fingerprints
encrypted in its local environment.
In this regard, a flaw was discovered in Lenovo Fingerprint Manager Pro
(see CVE-2017-3762).
(see
https://thenextweb.com/security/2018/01/26/lenovo-fingerprint-manager-flaw-windows/
)

3. Moreover, FireEye researchers Tao Wei and Yulong Zhang outlined new ways
to attack Android devices to extract user fingerprints at Black Hat USA
2015 (see Fingerprints On Mobile Devices: Abusing and Leaking?).
(see
https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/
)

In addition, fingerprints are usually associated with every citizen's
identity and immigration record.
It would be a hazard if the attacker can remotely harvest fingerprints in a
large scale.
It also allows the attacker to impersonate a legitimate
authentication/identification by using stolen fingerprints.
Currently, fingerprints is still working on various
authentication/identification system.

Indeed, it is quite confusing.

In short, please let me know whether disclosure of a fingerprint is a
vulnerability or not, to accomplish freedesktop's goal of securing the
usage of fingerprints to authenticate the user.

Sincerely,
Seong-Joong Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/fprint/attachments/20190509/3b2e4238/attachment.html>