English

Fingerprint reader storage

Tags: #<Tag:0x00007f05e61f2ca8>

Good evening, everyone,

I would like to know about fairphone 3 where the fingerprints of the person using it are stored? I know that the fingerprint module initially belongs to sony, I would have liked to know where the fingerprint is stored, and if it is sent to servers at sony or at a third party for example… Do you have any information about this?

Bonsoir à tous,

J’aurais souhaiter savoir sur le fairphone 3 où sont stocké les empreintes digital de la personne qui l’utilise ? Je sais que le module d’empreinte appartient initialement à sony, j’aurais aimé savoir où est stocké l’empreinte, et si elle est envoyé à des serveurs chez sony où chez un tiers par exemple … Avez vous des informations à ce sujet ?

I believe the question about the storage is something you should ask Fairphone, not the community.
About the cloud: Since it’s not free software and hardware probably nobody but the people who own the cloud(s) know on which clouds the data is stored. One thing that is safe to assume is that as long as you have Google on the phone Google will collect that data - believing anything else would be naive.

The Fairphone 3 sports a capacitive fingerprint scanner as can be seen on this picture (the middle loose component):

I am not sure which exact model it is.

It (that is, the hashes based on the input data of your fingerprint) should be stored in the secure element of the ARM processor. This storage is done locally, not in the cloud. If it is, that is huge a security risk and design flaw. We know it is stored locally only though because the data is not available during an Android backup migration.

Having the information could be used to, in theory, make a hostile fingerprint reader which could be used to get access to the device and/or the encrypted storage.

In practice, this attack vectors is needlessly complex, and only interesting for advanced forensics by nation states. If you are within the scope of these, there are much easier made within your attack surface ie. you are worrying about the wrong things. For example, in The Netherlands you can be forced to use your finger as authentication because it is not something you know, but it is extremely easy (anecdotal) to figure out someone’s PIN by just looking over their shoulder. You should start with creating viable entropy with your PIN, including taking into account partial/full knowledge (your birthday is not a good PIN if your adversary knows OSINT).

Furthermore, what is important with authentication such as these, is the amount of false positives. FaceID and TouchID have a certain amount of (tested) false positive rates e.g. 1 in a million (just an example). We do not yet know the false positive rate of the Fairphone 3 fingerprint reader. I will do some preliminary testing as soon as I have the device.

If you are worried about your privacy: your fingerprint itself is only used to verify the hash. You’re leaving your fingerprint everywhere you travel, and it is relatively reasonably easy to construct a fake finger(print) which can be used to authenticate.

2 Likes

Sorry, possibly it is just my complete ignorance …
But if the fingerprint-reader or any other data would be stored in a cloud, this would imply a permanent data-connection. The module then would not work, if you don’t have that kind of connection. This - to me - seems higly unlikely.
At least you should be presented an error message, if you try to safe your fingerprints, while the data connection (and WiFi of course) is turned off.
And I really doubt, that Sony, Google or whoever would be paying for this kind of data transfer. Of course you would not notice, if you have a flatrate, but that is not obligatory.

Finally, this seems to be technically a quite risky an unsound solution, as the user would be locked out, if the data connection is broken or momentarily unavailable (just think of conference rooms in the cellar of a building with heavy concrete walls).

And the fingerprint scanner on my notebook is working regardless from a network connection as well.

3 Likes

This might help understanding where we fingerprint is stored, it’s secure on the device.

https://source.android.com/security/trusty

Also here https://stackoverflow.com/questions/41632225/android-where-and-how-securely-is-fingerprint-information-stored-in-a-device

4 Likes

Not really. Software could store data in the cloud and keep a copy locally as well. What works like this (by default), is Google Drive/Nextcloud/OneDrive/… What does not work like this, is all the blackbox of Google Home and its ilk (FAAMG each have their own name/version which I don’t all remember…)

Not *necessarily the same technology.

See e.g. https://en.wikipedia.org/wiki/Electronic_fingerprint_recognition

I’ve seen laptops with optical. USB sticks too.

(Didn’t read all your post TBH, in a bit of a hurry.)

1 Like

This post was flagged by the community and is temporarily hidden.