Fingerprints on Mobile Devices: Abusing and Leaking

Presented at Black Hat USA 2015, Aug. 6, 2015, 12:10 p.m. (50 minutes)

Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities. Thus, the leakage of fingerprints is irredeemable. It will be even a disaster if the attackers can remotely harvest fingerprints in a large scale.

In this talk, we will reveal some severe issues with the current Android fingerprint frameworks that have long been neglected by vendors and users. We will provide in-depth security analysis of the popular mobile fingerprint authentication/authorization frameworks, and discuss the security problems of existing designs, including (1) the confused authorization attack that enables malware to bypass pay authorizations protected by fingerprints, (2) TrustZone design flaws and fingerprint sensor spying attack to harvest fingerprints, (3) pre-embedded fingerprint backdoors, etc. We will show live demos, such as hijacking mobile payment protected by fingerprints, and collecting fingerprints from popular mobile devices. We will also provide suggestions for vendors and users to better secure the fingerprints.

Presenters:

• Tao Wei - FireEye Inc
  Tao Wei is a senior staff research scientist at FireEye Inc. Prior to joining FireEye, he was an associate professor at Peking University and a visiting project scientist at UC Berkeley. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security. He led his team to publish the first 4 papers from China at IEEE S&P (Oakland), the top-tier academic security conference. He also led the team to win the special recognition award of the Bluehat prize contest 2012 by proposing a high-performance software hardening approach. Now he leads the mobile security research team at FireEye to discover mobile vulnerabilities, identify malwares, and prevent privacy leakage.
• Yulong Zhang - FireEye
  Yulong Zhang is currently working at FireEye conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats.

Links:

• https://www.blackhat.com/us-15/briefings.html#fingerprints-on-mobile-devices-abusing-and-leaking
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Fingerprints On Mobile Devices Abusing And Leaking.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Fingerprints On Mobile Devices Abusing And Leaking.mp4
• https://www.youtube.com/watch?v=7NkojB9gLXM
• https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf

Similar Presentations:

• Black Hat Europe 2020 Virtual / Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps
• Black Hat USA 2016 / AVLeak: Fingerprinting Antivirus Emulators for Advanced Malware Evasion
• BSidesSF 2014 / Using system fingerprints to track attackers