Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • F fprintd
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 17
    • Issues 17
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 9
    • Merge requests 9
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • libfprint
  • fprintd
  • Issues
  • #16
Closed
Open
Issue created Mar 06, 2019 by Seong-Joong Kim@sungjungkContributor

libfprint found storing user fingerprints as image files

I would like to take this issue.
I just reopened in fprintd issue (see libfprint#154 (closed)).

Currently, libfprint saves a fingerprint image (FP1 or 2?) to a file on the host without any encryption. Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. It is necessary to prepare for the problem.

Especially, when I use fp_print_data_save() for enroll my fingerprints, the image is saved in user’s home directory without any protection scheme. Though fprintd generates fingerprint image with root permission for protecting the file from attackers, it is not of itself sufficient. FYI, similar issues on Android have been reported and cryptographic operations are introduced to encrypt fingerprint (see [1-2]).

[1] https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf
[2] https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/

Edited Mar 08, 2019 by Seong-Joong Kim
Assignee
Assign to
Time tracking