oss-sec mailing list archives
Re: Re: fprintd: found storing user fingerprints without encryption
From: Roman Drahtmueller <draht () schaltsekun de>
Date: Wed, 8 May 2019 11:19:29 +0200 (CEST)
Dear all, I would like to report a vulnerability of 'fprintd'. 'fprintd' does not encrypt sensitive information before storage. *CWE-311: Missing Encryption of Sensitive Data*
[...] This misses the point. * Encryption shifts the problem to protecting the symmetric key, which is the very same problem. => Encryption solves other problems, but not this one. * If you have sufficient privileges to access the fingerprint data, then you no longer need the data. * You can't "safeguard" the fingerprint data by applying additional O/S controls such as SELinux, AppArmor, etc, you can only add more useful privilege transitions and protect against attacks that exploit implementation errors. Google "store fingerprint data ios android", there are suitable solutions. Mostly: Your fingerprint is not a secret like a password, it is a username.Since you can't change the fingerprint (biometrics problem), it is not very useful as a single authentication factor. Either you live with this, or you combine the fingerprint with a different authentication factor type.
Roman.
Current thread:
- fprintd: found storing user fingerprints without encryption Seong-Joong Kim (Apr 23)
- Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 07)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Noel Kuntze (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Noel Kuntze (May 08)
- Message not available
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption halfdog (May 10)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 10)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 11)
- Re: fprintd: found storing user fingerprints without encryption halfdog (May 14)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 07)