HTC left unsecured fingerprint data on the One Max


The HTC One Max was one of the first modern Android smartphones to feature a fingerprint sensor, but it appears HTC didn’t take security of those fingerprints very seriously, and stored some data related to them unencrypted on the device. This means if it fell into the hands of a talented hacker, a copy of your fingerprint could be easily created.

Evidence was presented by a team of experts from security company FireEye Labs at the Black Hat conference in Las Vegas recently, where the authentication and authorization systems used for mobile phone fingerprint analysis were examined. The team wanted to highlight the need for strong security measures to keep fingerprint data safe, because unlike a traditional password, once a fingerprint has been stolen — it’s out there forever, and cannot be changed.

HTC was alerted to the flaw prior to the conference, and sent out an update to fix it before the findings were presented, so if you own a One Max and regularly use the fingerprint sensor — don’t worry, it’s secure now. FireFly Labs also identified other problems related to security issues with sensors, which affected phones other than the One Max — the Samsung Galaxy S5 is mentioned specifically — and these problems have also been patched by their respective manufacturers.

Fingerprint sensors as a way to secure our mobile devices and authorize mobile payments are becoming more common, particularly as new systems such as Samsung Pay and Android Pay emerge. FireFly Labs says owners can help protect themselves by choosing smartphones with up-to-date software, and apply new updates when they arrive, plus to use apps from reliable, known sources. It also urges manufacturers to improve security around sensors and the data collected.

The news comes shortly after Android was affected by the Stagefright bug, which threatened to disable smartphones with a simple message. The seriousness of the alert prompted companies to not only rapidly send out a software fix, but also to promise regular security updates for devices in the future.