还敢使用指纹吗？HTC手机对于指纹数据不加密！-传感技术-与非网
过去几年苹果和安卓手机厂商都在努力推进指纹识别技术。一般来说，指纹技术相对于普通的密码更安全。但是根据FireEye最新的调查数据显示，很多安卓手机厂商对于指纹数据的保护几乎形同虚设，你可以把手机插到电脑上直接在相关的目录下就能够找到用户指纹的原始数据。
对于经常使用指纹来做支付认证的安卓手机用户来说，这真不是一个好消息。事实上ARM提供了TrustZone技术来对指纹数据进行保护，但是很多手机厂商并没有使用这一技术，例如HTC生产的HTC One MAX，指纹数据居然被存为/data/bdgraw.bmp，而且该文件的属性为全局可读，任何进程或应用都可以通过读取该文件来盗取用户的指纹数据。
For the past few years, both Apple and the various Android manufacturers have been pushing the idea of fingerprint readers, typically on the dubious grounds that biometric security is a better choice compared to a good passcode. New research from the security firm FireEye seems to blow that claim wide open, however. According to FireEye, multiple Android manufacturers protect your fingerprint so poorly, it can be read by plugging the phone into a computer and knowing which folder to access.
This is deeply problematic, considering that fingerprint readers are often used as the basis of payment authorization as well, but the FireEye report shines a critical eye on just how lightly most Android OEMs take device security. In theory, the fingerprints stored on an Android device are at least as secure as the kernel, with ARM&s TrustZone technology offering an additional layer of isolation and protection. In the real world, however, OEMs aren&t using this capability. FireEye&s report states:
One example is the HTC One Max & the fingerprint is saved as /data/dbgraw.bmp with 0666 world permission (world readable). Any unprivileged processes or apps can steal the user&s fingerprints by reading this file. Other vendors store fingerprints in TrustZone or Secure Enclave, but there are still known vulnerabilities for attackers to leverage& To make the situation even worse, each time the [HTC] fingerprint sensor is used for auth operation, the auth framework will refresh that fingerprint bitmap to reflect the latest wiped finger. So the attacker can sit in the background and collect the fingerprint image of every swipe of the victim.
HTC takes the cake for absolute worst exposure of critical security issues, but vendors like Samsung aren&t exactly doing a bang-up job, either: FireEye also reports that the fingerprint sensor is itself vulnerable to attacks. ARM&s TrustZone offers the ability to isolate peripherals, but no vendors currently take advantage of it. The image below shows how the system should work (at top) with TrustZone functioning properly, versus how it&s actually programmed in today&s real-world devices. Because normal applications can query the sensor, they can also be used to take background readings every time someone touches it, record their fingerprint data, and relay it to third parties or hacking outfits.
While only HTC was found to be blatantly storing user data where literally anyone could reach it, the fact that the fingerprint sensor could be accessed or hacked via already-known exploits in the Android kernel means that the biometric authorization schemes in the vast majority of phones aren&t secure & and that&s before we consider Android&s terrible security model that leaves users with no means of installing or updating their devices with critical security fixes if Samsung or other manufacturers don&t push them out in the first place. Several OEMs have recently pledged to change these practices, but it&s too soon to judge if they actually will.
Fingerprint sensors aren&t secure, and neither is much else
If you&re depending solely on a fingerprint scanner to secure your device, you really ought to rethink that strategy, even if you don&t have an Android phone. Courts have ruled that while the police can&t force you to disclose a passcode, they can fingerprint you without consent & and that means your device can be unlocked whether you agree to it or not. Ideally, users could use both a security code and fingerprint to keep a device locked, but I&m not sure which modern smartphones, if any, offer this option.
What&s even more troubling, however, is the cavalier way the Android OEMs have approached the topic. It&s not hard to see why Samsung&s security model is flawed and HTC&s is completely broken & it costs nothing to claim to care about user security online, while actually implementing security procedures is a time-consuming and expensive process. Most people don&t buy phones based on how secure they are, and even the handful of buyers who prioritize the feature aren&t usually equipped to objectively evaluate whether or not a product lives up to its expectations.
Over the past few months, I&ve repeatedly referred to the hypocritical way that corporations and the government tell users to respect privacy, while simultaneously encouraging users not to care. It would be impossible to tell if HTC suffered any negative impacts from this news, given the terrible shape that the company is in right now, but manufacturers like Samsung have suffered no serious problems. Samsung has lied about the encryption on its televisions, left an estimated 600 million of its customers vulnerable to hacking thanks to a broken keyboard application, and smashed Microsoft&s Windows security model by shipping systems with Windows Update disabled. Why? Because it couldn&t be bothered to configure the update policy on one specific component.
Everything Samsung has done this year pales in comparison to Lenovo, whose Superfish debacle was one of the worst security flaws since Sony thought installing rootkits was a good idea. I didn&t think we&d see Lenovo feat topped anytime soon & until Chrysler managed to ship a jeep so fundamentally broken, it could be used to cripple vehicles and potentially kill people.
Given the state of the software currently used to connect our devices, don&t depend on any single metric, whether it&s a passcode or a fingerprint device. Problems like this will persist until companies learn that effective security is critical to establishing trust in the long run, even if it isn&t a sexy point you can drop on a marketing slide.
关注与非网微信 ( ee_focus )
限量版产业观察、行业动态、技术大餐每日推荐
享受快时代的精品慢阅读
企业与社会如何加强对于科技从业人员工作状态与身体状况的监控与调节？科技从业人员如何把握工作与生活的平衡？对于“用力工作十五年，然后退休或转型”这种理念，您的看法是怎样的？ 欢迎参与与非网本期微话题讨论，这个议题与我们每个人息息相关。
旗下网站：
与非门科技(北京)有限公司 All Rights Reserved.
京ICP证:070212号
北京市公安局备案编号： 京ICP备：号扫描二维码下载
热门城市：
正在加载...
免费服务热线：
点我免费通话哦！
价格：<strong class="nowPrice" ppid="2.00
云南省昆明市&&& 13:15:55男人就该Man 发布咨询： 826提示相机更新，但更新以后就无法使用，一打开就自动关闭，该怎么办？？？
回复：亲，建议您到门店让工作人员帮您处理，给您带来的不便，尽请谅解。 感谢您的关注，祝您生活愉快！
回复人:梁子菜
更多咨询：
回复：亲，普惠快信分期进店办理大概一个小时即可带走爱机，办理时间视门店情况而定，具体可以到门店咨询工作人员。 感谢您的关注，祝您生活愉快！
逍遥追妹：
回复：亲，626没有库存，但是接受预定，能正常到货的，您可以在线预订或电话订购，到货时间以网站显示为准，详情您可致电400-008-3939或在线咨询 QQ：。 感谢您的关注，祝您生活愉快！
手机用户：
回复：亲，分期付款又叫分期还款，分期是钱由银行一次性帮您付清，您在分期还给银行，具体分多少期，每个月付多少都是根据您自己的选择，不同的分期收取的利息也是不同的，详情您可致电400-008-3939或在线咨询QQ：。 感谢您的关注，祝您生活愉快！
wanying711：
回复：亲，这两款机器的配置是一样的，主要是网络支持不同，D820u为双4G版，支持移动、联通4G/3G/2G网络；D820t为移动4G版，支持移动4G/3G/2G网络。 感谢您的关注，祝您生活愉快！
188****455：
回复：亲， Desire 826有货的，您可致电400-008-3939或在线咨询 QQ：进行购买。 感谢您的关注，预祝您购机愉快！(^_^)
150****709：
回复：亲， Desire 826W机身是塑料的，建议您佩带保护壳使用。 感谢您的关注，祝您生活愉快！
回复：亲，非常抱歉，给您带来了困扰， Desire 826（D826w）的主屏材质为Super LCD3 ，您可以放心购买使用， 感谢您的关注，祝您生活愉快！
抓狂啊啊啊：
回复：亲，非常抱歉， Desire 826W 双4G版不支持电信网络哦，我网有多款支持电信网络的供您选购，详情点击。 感谢您的关注，祝您生活愉快！
ZGM520YRY：
回复：亲， Desire 826W 双4G版 有货的，曲靖店暂时没货，我们可以为您调货，您可以在线预订或电话订购，曲靖地区16:00前完成下单，预计明日(3月9日)11:00送达。 详情您可致电400-008-3939或在线咨询 QQ：。感谢您的关注，祝您生活愉快！
手机用户：
回复：亲，小菜园最近的店是佰腾总店，佰腾总店地址：昆明市圆通北路127号云大晟苑5楼
销售热线：9 工作时间：周一至周日:9:00-21:30 感谢您的关注，祝您生活愉快！
下次自动登陆
使用合作网站账号登录：
还没有账号？
微信扫一扫二维码登录
各门店营业时间：周一至周日 09:00-21:30 &&&& 全国服务热线：400-008-3939 &&&& 工作时间：周一至周日 09:00-21:30
网站ICP备案号： &&&& 电信业务经营许可证：滇B2-号 &&&& 云南网警ICP备案 52 &&&&
Copyright (C) 2006 - 2015 三九手机网，All Rights Reserved
还没有登录，登录后商品将被保存
件商品共计：￥0htc m8的手机储存加密怎么关闭手贱开启了这个服务，每次开机都要输入这个密码还说有30次尝试的机_百度知道
htc m8的手机储存加密怎么关闭手贱开启了这个服务，每次开机都要输入这个密码还说有30次尝试的机
htc m8的手机储存加密怎么关闭手贱开启了这个服务，每次开机都要输入这个密码还说有30次尝试的机会不然清除所有数据，我知道密码，但是想取消这个服务。
出厂设置，要不试试roon 我建议吧所有东西拷贝到电脑里
其他类似问题
为您推荐：
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁我的手机是htc t528t ，经过root后wifi一打开就不断的在反复的开关开关，room过后也是如此？_百度知道
我的手机是htc t528t ，经过root后wifi一打开就不断的在反复的开关开关，room过后也是如此？
请问是硬件的问题还是系统的问题导致这样的状况呢？请高手们给我支招啊，谢谢~~~要知道没wifi用流量就是去得快啊，要崩溃了
提问者采纳
先试试刷回原厂的rom，机锋论坛上应该有下载的。有可能是你的rom不对，可能是测试版的，不稳定，有漏洞。 另外一个可能（只是可能）是你的基带刷错了，基带相当于驱动，机锋上也有教程。
怎么个刷基带发，不懂怎么找，谢谢你了
多在论坛里学学，欲速则不达。。
提问者评价
其他类似问题
为您推荐：
wifi的相关知识
其他2条回答
你把基带刷一下就行，或者去用刷机精灵刷一下版本
刷基带就是刷room么？
不是啊 你单下个基带去刷就好。不过你要是嫌麻烦就去刷机精灵里面找个版面下载后一键刷就好
去专业的地方刷机。。不然刷不来就报废了。。
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁