Hi, I wonder whether disclosure of a fingerprint is a vulnerability or not.
Recently, I posted an issue about 'disclosure of a fingerprint' on several community, such as upstream, various Linux distributions, and oss-security. - @Upstream: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16 - @Ubuntu: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1822590 - @Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1693357 - @Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 - @openSUSE: https://build.opensuse.org/request/show/701312 - @oss-security: https://www.openwall.com/lists/oss-security/2019/04/23/3 Some said that disclosure of a fingerprint is not a vulnerability. Even they considered that a fingerprint is just akin to username, rather than password. Recently, fingerprints are very popularly used these days in mobile banking or healthcare industry, as an authentication schemes. Leakage of fingerprints is regard to severe issue and thus commercial vendors that use fingerprints are now moving to a more secured design. Moreover, I found several issues and efforts to deal with information leakage of fingerprints as follows. 1. In Microsoft's Windows Hello, fingerprint data is kept locally on user's PC in an encrypted way. (see https://support.microsoft.com/en-au/help/4468253/windows-hello-and-privacy-microsoft-privacy ) 2. Lenovo's Fingerprint Manager Pro also stores user's fingerprints encrypted in its local environment. In this regard, a flaw was discovered in Lenovo Fingerprint Manager Pro (see CVE-2017-3762). (see https://thenextweb.com/security/2018/01/26/lenovo-fingerprint-manager-flaw-windows/ ) 3. Moreover, FireEye researchers Tao Wei and Yulong Zhang outlined new ways to attack Android devices to extract user fingerprints at Black Hat USA 2015 (see Fingerprints On Mobile Devices: Abusing and Leaking?). (see https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/ ) In addition, fingerprints are usually associated with every citizen's identity and immigration record. It would be a hazard if the attacker can remotely harvest fingerprints in a large scale. It also allows the attacker to impersonate a legitimate authentication/identification by using stolen fingerprints. Currently, fingerprints is still working on various authentication/identification system. Indeed, it is quite confusing. In short, please let me know whether disclosure of a fingerprint is a vulnerability or not, to accomplish freedesktop's goal of securing the usage of fingerprints to authenticate the user. Sincerely, Seong-Joong Kim
_______________________________________________ fprint mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/fprint
