CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Fingerprint-Exposing Flaw in OnePlus 7 Phone Highlights TEE Issues

OnePlus 7 Pro Vulnerability Highlights Trusted Execution Environment Issues 

OnePlus 7 Pro Vulnerability Highlights Trusted Execution Environment Issues 

OnePlus 7 Pro devices made by China-based smartphone manufacturer OnePlus Technology were affected by a vulnerability that could have been exploited to obtain users’ fingerprints. While the vulnerability is not easy to exploit, researchers warn that it could highlight a larger issue.

The flaw, discovered in July 2019 by a team of researchers from the Synopsys Cybersecurity Research Center in London, was patched by the vendor in January 2020 with a firmware update.

Synopsys will release technical details at a later date, but a brief advisory made public on Tuesday reveals that the vulnerability could have been exploited by a malicious Android application with root privileges on the targeted OnePlus 7 Pro phone to obtain bitmap fingerprint images from the device’s trusted execution environment (TEE), an area designed to keep sensitive data and code isolated and protected against unauthorized access.

“Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” Synopsys said in its advisory.OnePlus 7 Pro vulnerability exposed user fingerprints

Synopsys told SecurityWeek that an attacker could have exploited the vulnerability to recreate a user’s full fingerprint, and then use it to make a fake fingerprint that would allow them to access the target’s other devices that rely on biometric authentication.

“Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,” explained Travis Biehn, principal consultant at Synopsys. “A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

It’s worth pointing out that the vulnerability is complex and difficult to exploit — it has become increasingly difficult for malware to gain root privileges on Android devices — and a patch has already been available for several months, which means most users are likely protected by now.

However, Synopsys says the vulnerability highlights an issue with trusted execution environments and trusted applications.

Advertisement. Scroll to continue reading.

“Most importantly to us, this vulnerability shows that there’s clear challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there’s many opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” Biehn said.

It’s unclear in the case of the OnePlus 7 Pro if the vulnerability existed in OnePlus code or third-party code. If the latter is true, other Android devices could be affected by similar flaws.

“The boundary between device vendor code and code coming from their supply chain is blurry. Even within the boundaries of a single company different components can be made by different teams and provided for consumption as SDKs (Software Development Kits) or customizable libraries. This particular bug may have been missed by the library developer, which could be internal or external to OnePlus, or it could have been a build time misconfiguration,” Georgi Boiko, senior security consultant at Synopsys, told SecurityWeek.

Biehn says other device manufacturers should analyze their products to see if they are impacted by similar flaws.

“We hope that this disclosure serves as a wakeup call to the industry to address this category of risk with vendors who provide reference implementations and the internal teams responsible for customization and integration of that code,” he noted.

Related: Vulnerability Has Been Lurking in Avaya Phones for 10 Years

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Related: Security Firm Discloses Details of Amazon Fire Phone Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.