Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Fingerprint-Exposing Flaw in OnePlus 7 Phone Highlights TEE Issues

OnePlus 7 Pro Vulnerability Highlights Trusted Execution Environment Issues 

OnePlus 7 Pro Vulnerability Highlights Trusted Execution Environment Issues 

OnePlus 7 Pro devices made by China-based smartphone manufacturer OnePlus Technology were affected by a vulnerability that could have been exploited to obtain users’ fingerprints. While the vulnerability is not easy to exploit, researchers warn that it could highlight a larger issue.

The flaw, discovered in July 2019 by a team of researchers from the Synopsys Cybersecurity Research Center in London, was patched by the vendor in January 2020 with a firmware update.

Synopsys will release technical details at a later date, but a brief advisory made public on Tuesday reveals that the vulnerability could have been exploited by a malicious Android application with root privileges on the targeted OnePlus 7 Pro phone to obtain bitmap fingerprint images from the device’s trusted execution environment (TEE), an area designed to keep sensitive data and code isolated and protected against unauthorized access.

“Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” Synopsys said in its advisory.OnePlus 7 Pro vulnerability exposed user fingerprints

Synopsys told SecurityWeek that an attacker could have exploited the vulnerability to recreate a user’s full fingerprint, and then use it to make a fake fingerprint that would allow them to access the target’s other devices that rely on biometric authentication.

“Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,” explained Travis Biehn, principal consultant at Synopsys. “A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

It’s worth pointing out that the vulnerability is complex and difficult to exploit — it has become increasingly difficult for malware to gain root privileges on Android devices — and a patch has already been available for several months, which means most users are likely protected by now.

Advertisement. Scroll to continue reading.

However, Synopsys says the vulnerability highlights an issue with trusted execution environments and trusted applications.

“Most importantly to us, this vulnerability shows that there’s clear challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there’s many opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” Biehn said.

It’s unclear in the case of the OnePlus 7 Pro if the vulnerability existed in OnePlus code or third-party code. If the latter is true, other Android devices could be affected by similar flaws.

“The boundary between device vendor code and code coming from their supply chain is blurry. Even within the boundaries of a single company different components can be made by different teams and provided for consumption as SDKs (Software Development Kits) or customizable libraries. This particular bug may have been missed by the library developer, which could be internal or external to OnePlus, or it could have been a build time misconfiguration,” Georgi Boiko, senior security consultant at Synopsys, told SecurityWeek.

Biehn says other device manufacturers should analyze their products to see if they are impacted by similar flaws.

“We hope that this disclosure serves as a wakeup call to the industry to address this category of risk with vendors who provide reference implementations and the internal teams responsible for customization and integration of that code,” he noted.

Related: Vulnerability Has Been Lurking in Avaya Phones for 10 Years

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Related: Security Firm Discloses Details of Amazon Fire Phone Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...