Security Experts:

Fingerprint-Exposing Flaw in OnePlus 7 Phone Highlights TEE Issues

OnePlus 7 Pro Vulnerability Highlights Trusted Execution Environment Issues 

OnePlus 7 Pro devices made by China-based smartphone manufacturer OnePlus Technology were affected by a vulnerability that could have been exploited to obtain users’ fingerprints. While the vulnerability is not easy to exploit, researchers warn that it could highlight a larger issue.

The flaw, discovered in July 2019 by a team of researchers from the Synopsys Cybersecurity Research Center in London, was patched by the vendor in January 2020 with a firmware update.

Synopsys will release technical details at a later date, but a brief advisory made public on Tuesday reveals that the vulnerability could have been exploited by a malicious Android application with root privileges on the targeted OnePlus 7 Pro phone to obtain bitmap fingerprint images from the device’s trusted execution environment (TEE), an area designed to keep sensitive data and code isolated and protected against unauthorized access.

“Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” Synopsys said in its advisory.OnePlus 7 Pro vulnerability exposed user fingerprints

Synopsys told SecurityWeek that an attacker could have exploited the vulnerability to recreate a user’s full fingerprint, and then use it to make a fake fingerprint that would allow them to access the target’s other devices that rely on biometric authentication.

“Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,” explained Travis Biehn, principal consultant at Synopsys. “A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

It’s worth pointing out that the vulnerability is complex and difficult to exploit — it has become increasingly difficult for malware to gain root privileges on Android devices — and a patch has already been available for several months, which means most users are likely protected by now.

However, Synopsys says the vulnerability highlights an issue with trusted execution environments and trusted applications.

“Most importantly to us, this vulnerability shows that there's clear challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there's many opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” Biehn said.

It’s unclear in the case of the OnePlus 7 Pro if the vulnerability existed in OnePlus code or third-party code. If the latter is true, other Android devices could be affected by similar flaws.

“The boundary between device vendor code and code coming from their supply chain is blurry. Even within the boundaries of a single company different components can be made by different teams and provided for consumption as SDKs (Software Development Kits) or customizable libraries. This particular bug may have been missed by the library developer, which could be internal or external to OnePlus, or it could have been a build time misconfiguration,” Georgi Boiko, senior security consultant at Synopsys, told SecurityWeek.

Biehn says other device manufacturers should analyze their products to see if they are impacted by similar flaws.

“We hope that this disclosure serves as a wakeup call to the industry to address this category of risk with vendors who provide reference implementations and the internal teams responsible for customization and integration of that code,” he noted.

Related: Vulnerability Has Been Lurking in Avaya Phones for 10 Years

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Related: Security Firm Discloses Details of Amazon Fire Phone Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.