Ubuntu
fprintd package

Found storing user fingerprints without encryption

Bug #1822590 reported by Seong-Joong Kim
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fprintd
Fix Released
Unknown
Debian
Confirmed
Unknown
apparmor (Ubuntu)
Won't Fix
Undecided
Unassigned
fprintd (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Dear all,

I would like to report a new issue as follows.
‘fprintd’ saves a fingerprint data, ISO/IEC 19794-2 formatted, to a file on the host without any encryption.
Though fprintd generates fingerprint image with root permission for protecting the file from attackers, it is not of itself sufficient.
It is well known threat model that a formatted fingerprint data can be restored to original image about a decade ago.
[1-4] are presented to create sophisticated and natural-looking fingerprints only from the numerical template data format as defined in ISO/IEC 19794-2.
They also successfully evaluated these approaches against a number of undisclosed state-of-the-art algorithms and the NIST Fingerprint Image Software.

We need improvements of those issues.

[1] R. Cappelli et al., “Fingerprint Image Reconstruction from Standard Templates”, IEEE Trans. on Pattern Analysis and Machine Intelligence, vol.29, no.9, pp.1489-1503, 2007.
[2] A. Ross et al., “From template to image: Reconstructing fingerprints from minutiae points”, IEEE Trans on Pattern Analysis and Machine Intelligence, vol.29, no.4, pp.544-560, 2007.
[3] R. Cappelli et al., “Can Fingerprints be reconstructed from ISO Templates?”, IEEE ICARCV 2006.
[4] J. Feng et al., “Fingerprint Reconstruction: From Minutiae to Phase”, IEEE Trans on Pattern Analysis and Machine Intelligence, vol.33, no.2, pp.209-223, 2011.

Sincerely,
Seong-Joong Kim

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1693356

Upstream Bug: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

As per upstream, the only way to safeguard the fingerprint data is to run with SELinux, AppArmor or another LSM enabled one.
(link: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16#note_141207)

Currently, Fedora and Red Hat Enterprise Linux have a safeguard the fingerprint data since they uses SELinux by default while Ubuntu and Debian does not.

Seong-Joong Kim (sungjungk)
information type: Private Security → Public Security
Revision history for this message
Sebastien Bacher (seb128) wrote :

It would probably be useful for Ubuntu to have an apparmor profile there

Changed in fprintd (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in fprintd:
status: Unknown → New
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

In Ubuntu, that would be good.

Btw, I would like to request escalate importance.

I think that this issue can be even more important than password exposure in cleartext.

Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life.

Then, it severely affects applications beyond the package responsible for the root cause.

What do you think of it?

Salvatore Bonaccorso (carnil)
no longer affects: apparmor (Debian)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'll include as a comment my reply to an email from the reporter:

Hello,

Note that the Ubuntu security team considers fingerprints to be akin to
usernames, rather than passwords. They cannot be changed, they are left on
thousands of objects daily, and repeated demonstrations of sensors being
'fooled' by artificial constructions from photographs etc basically mean
fingerprints are not worth much as authentication tokens.

In the Main Inclusion Request review for fprintd and libfprint, we
included:

    It's important to note that security team considers fingerprints to
    be akin to usernames and not passwords. Any potential issues with
    this tool will be treated with this threat model in mind.

    -- https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455

Under this threat model, disclosure of a fingerprint is not a
vulnerability.

Perhaps the fprintd or libfprintd authors will see things differently,
but I suspect most security practitioners have decided that fingerprints
are identifiers, not authenticators.

Thanks

Changed in apparmor (Ubuntu):
status: New → Won't Fix
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Incidentally, there's nothing for the AppArmor project to do here -- any confined program will include or not include the fingerprint data as specified in the profile.

Thanks

Bug Watch Updater (bug-watch-updater)
Changed in debian:
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in fprintd:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.