fingerprintson*mobile*devices:* abusing*and*leaking · pdf...
TRANSCRIPT
![Page 1: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/1.jpg)
Fingerprints On Mobile Devices: Abusing And Leaking
Tao Wei and Yulong Zhang
![Page 2: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/2.jpg)
More And More Mobile Vendors Equip Fingerprint Scanners
Saygus Apple Samsung HTC Huawei
2
![Page 3: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/3.jpg)
50% of smartphone shipments will have a fingerprint sensor by 2019-- Research Capsule
3
![Page 4: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/4.jpg)
Functionalities Associated with Fingerprints
◆ Authentication◆ System screen unlock◆ Authentications in FIDO Alliance services
◆ Authorization◆ iTunes/App store pay◆ Apple Pay◆ Transaction authentication using FIDO
4
![Page 5: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/5.jpg)
Risks: Leaking Fingerprint Is A Disaster
Password leaked? Fine, you can easily replace it with a new one.
5
![Page 6: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/6.jpg)
Risks: Leaking Fingerprint Is A Disaster
◆ Fingerprint leaked? Well, it is leaked for the rest of your life.
◆ Moreover, it is associated with your identity record, criminal history, immigration history, banking credential, etc.
6
http://www.cnn.com/2010/WORLD/europe/07/05/first.biometric.atm.europe/ https://en.wikipedia.org/wiki/Office_of_Biometric_Identity_Management
![Page 7: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/7.jpg)
It would be even worse if the attacker can remotely harvest fingerprints in a large scale.
Image from: https://s-media-cache-ak0.pinimg.com/736x/9f/64/55/9f64556ec 24b6c9639b649f6e4a9b2c5.jpg
7
![Page 8: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/8.jpg)
Existing Optical Attacks
◆ Fingerprints can be stolen from its owner if a person touched any object with a polished surface like glass or a smartphone screen.
◆ Fingerprints can even be extracted from a waving hands photo.
◆ Attackers can spoof fingerprints accordingly using electrically conductive materials.
Figures from C. Shoude et al. Fingerprint Spoof Detection By NIR Optical Analysis. July 2011.
8
![Page 9: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/9.jpg)
System Attacks against Fingerprints?!
❖ This talk will rather focus on:
➢ Confused Authorization Attack
➢ Unsecure Fingerprint Data Storage
➢ Fingerprint Sensor Spying Attack
➢Backdoor of Pre-embedding Fingerprints
To our knowledge, we are the first to discuss system attacks against fingerprint auth frameworks
9
![Page 10: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/10.jpg)
Outline
10
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 11: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/11.jpg)
Outline
11
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 12: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/12.jpg)
Fingerprint Minutiae Extraction
Figures from J. Feng and A. Jain, Fingerprint Reconstruction: From Minutiae to Phase IEEE TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLIGENCE, VOL. 33, NO. 2, FEBRUARY 2011
GrayscaleImage
PhaseImage
SkeletonImage
Minutiae
12
![Page 13: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/13.jpg)
Fingerprint Minutiae Matching
13
![Page 14: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/14.jpg)
Outline
14
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 15: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/15.jpg)
Fingerprint Framework without TrustZone
15
App FingerprintService
Native FingerprintLibraries
Java
Native
Kernel Space
Fingerprint SensorDriver
Hardware
User Space
Encrypted Fingerprint (Feature) DB
![Page 16: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/16.jpg)
Threat: Rooting Attacks
16
App FingerprintService
Native FingerprintLibraries
Java
Native
Kernel Space
Fingerprint SensorDriver
Hardware
Attackers can steal your fingerprints either from memory or from storage!
User Space
Encrypted Fingerprint (Feature) DB
![Page 17: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/17.jpg)
How to Defend against Rooting Attacks? TrustZone◆ Separate the system to the Normal World, and the Secure World
◆ Contain potential compromises in the Normal World
17
Normal World TrustZone (Secure World)
Physical Isolation
World Shared Memory (WSM)
Normal WorldUser Mode
Normal WorldKernel Mode
Secure WorldUser Mode
Secure WorldKernel ModeMonitor
SMC
Secure MemoryNormal Memory
![Page 18: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/18.jpg)
Fingerprint Framework with TrustZone
18
App IntermediateService
Native FingerprintLibraries
Java
Native
Kernel Space
TrustZoneDriver
Hardware
User Space
Fingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
![Page 19: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/19.jpg)
Rooting Attackers Cannot Access Fingerprints in TrustZone
19
App IntermediateService
Native FingerprintLibraries
Java
Native
Kernel Space
TrustZoneDriver
Hardware
User Space
Fingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
Oops…
![Page 20: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/20.jpg)
Fingerprint Authorization Framework with TrustZone
20
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
![Page 21: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/21.jpg)
We Are Secure! Let’s Ally: FIDO Alliance
21
![Page 22: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/22.jpg)
Samsung Galaxy S5 (octa-core)Fingerprint Framework
22
➢ Money Transaction Service
➢ Auth Protocol Implementation
➢ Phone Framework
➢ Fingerprint Sensor
➢ TrustZone Isolation of Exynos 5
![Page 23: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/23.jpg)
Outline
23
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 24: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/24.jpg)
Outline
24
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 25: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/25.jpg)
Confused Authorization Attack
Authentication
◆Who you are (Passport)
Authorization
◆What you can do (Visa)
Figures from Wikipedia
25
![Page 26: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/26.jpg)
Authenticating
26Figures from fcssllc.com
![Page 27: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/27.jpg)
Authorizing
27Figures from dailytech.com
![Page 28: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/28.jpg)
Authorizing: Context!
28Figures from dailytech.com
![Page 29: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/29.jpg)
To Swipe or Not To Swipe, without A Context?
29Figures from dailytech.com
![Page 30: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/30.jpg)
What are your fingerprints?
30
OR
![Page 31: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/31.jpg)
Confused Authorization Attack
Demo!
31
![Page 32: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/32.jpg)
Confused Authorization Attack
◆ Do you ever have a second thought when you swipe to unlock the device?
It can enable background attacker to steal your money from your mobile payment account!!!
32
![Page 33: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/33.jpg)
Confused Authorization Attack
◆ Questions
How can I testify what’s happening behind the finger swiping?
What’s the difference of swiping to unlock the device with swiping to authorize a mobile payment transaction?
33
You can’t tell…
You can’t tell…
![Page 34: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/34.jpg)
Confused Authorization Attack
◆ Applications often mistakenly treat authorization as authentication, and fail to provide context proofs for authorization.
◆ Without proper context proof, the attacker can mislead the victim to authorize a malicious transaction by disguising it as an authentication or another transaction.
◆ In the demo◆ The attacker fakes a lock screen to fool the victim to think that he/she is “swiping finger to unlock the device”, but the fingerprint is actually used to authorize a money transfer in the background.
34
![Page 35: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/35.jpg)
➔ Basically if a FIDO UAF Authenticator has a transaction confirmation display capability, FIDO UAF architecture makes sure that the system supports What You See is What You Sign mode (WYSIWYS). A number of different use cases can derive from this capability -- mainly related to authorization of transactions (send money, perform a context specific privileged action, confirmation of email/address, etc).
➔ The transaction confirmation display component implementing WYSIWYSneeds to be trusted
FIDO Alliance’s Specification
35
![Page 36: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/36.jpg)
◆ The original fingerprint auth framework (without TrustZone) has no reliable way to provide the authorization context proof.
◆ The framework with TrustZone can be improved to achieve this goal (the Trustlet modules in TrustZone can be modified to provide the context proof), but so far (June 2015) we haven’t seen any major vendor that implemented this feature.
However...
36
![Page 37: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/37.jpg)
Outline
37
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 38: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/38.jpg)
What you thought your fingerprint should be...
Fingerprint image from: http://www.cleveland.com/business/index.ssf/2015/03/victims_of_anthem_sec urity_br e.html38
![Page 39: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/39.jpg)
What the reality is...
Problem found on HTC One Max. HTC has patched it by working with its vendorafter our notification.
Any unprivileged processes or apps can steal user’s fingerprints by reading this file.
File format is distorted -- but easy to recover.
39
![Page 40: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/40.jpg)
Fingerprint Image Format
➢ It’s a bitmap image➢ Each line starts with 0xFE01➢ Each line is not properly 4-byte aligned (can be fixed by padding)
40
![Page 41: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/41.jpg)
Fingerprint Bitmap Recovery
Padding
41
![Page 42: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/42.jpg)
Then… how about fingerprints stored in TrustZone?
◆ TrustZone is NOT unbreakable, if vendor’s code is buggy
42
Dan Rosenberg, QSEE TrustZone Kernel Integer Overflow,BlackHat USA 2014
Arbitrary code execution in TrustZone
Josh Thomas and Nathan Keltner, Here be Dragons,RECON Canada 2014
Di Shen, Attacking Your Trusted Core: Exploiting TrustZone on Android,BlackHat USA 2015
![Page 43: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/43.jpg)
Outline
43
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 44: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/44.jpg)
Fingerprint Authorization Framework with TrustZone
44
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
![Page 45: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/45.jpg)
45
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
How about the isolation of fingerprint sensor devices?
?
![Page 46: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/46.jpg)
Fingerprint Framework on Some Devices
46
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
SPIDriver
![Page 47: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/47.jpg)
47
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
SPIDriver
Malware
No isolation & depend on access from the normal world
![Page 48: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/48.jpg)
48
Fingerprint Sensor Operations (Can Be Obtained from Vendors’ Open-source Kernel Code)
IOCTL_POWER_ON IOCTL_POWER_OFF
IOCTL_DEVICE_RESET IOCTL_SET_CLK
IOCTL_CHECK_DRDY IOCTL_SET_DRDY_INT
IOCTL_REGISTER_DRDY_SIGNAL IOCTL_SET_USER_DATA
IOCTL_GET_USER_DATA IOCTL_DEVICE_SUSPEND
IOCTL_STREAM_READ_START IOCTL_STREAM_READ_STOP
IOCTL_RW_SPI_MESSAGE IOCTL_GET_FREQ_TABLE
IOCTL_DISABLE_SPI_CLOCK IOCTL_SET_SPI_CONFIGURATION
IOCTL_RESET_SPI_CONFIGURATION IOCTL_GET_SENSOR_ORIENT
![Page 49: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/49.jpg)
49
Sensor Communication Protocol Can Be Reversed by Hooking
R/W/RW Methods
read(),write(),ioctl(),...
![Page 50: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/50.jpg)
Fingerprint Sensor Spying Attack
50
Demo!
![Page 51: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/51.jpg)
Fingerprint Sensor Spying Attack
51
➢ We have confirmed this vulnerability on devices including HTC One Max and Samsung Galaxy S5, etc. On Samsung devices the attacker has to root the device and load it with a carefully crafted custom ROM before leveraging the vulnerability for anything malicious.
➢ Both vendors have provided patches per our notification.
➢ It should be a general problem shared by most vendors though.
![Page 52: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/52.jpg)
Why?
52
● Normal world UI needs to reflect scanning state change in real time
● So it will be easier to let it directly controlthe device (reset/enable/disable/set frequency/etc.) and receive signals from the device.
1. user touch 2. dev op request
3. dev read
4. dev state change notification (async)
5. UI change
Normal world UI
![Page 53: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/53.jpg)
This Is Insecure If Fingerprint Sensor Serves Data in Plaintext
53
![Page 54: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/54.jpg)
How Samsung Solves It? -- Trusted UI
54
Image from: http://www.androidcentral.com/samsung-galaxy-s 5-review
1. user touch 2. dev op request
3. dev read
4. dev state change notification (async)
5. UI change
Normal world UITrustZone UI
Vendors can also lockdown the sensor to be only accessible in the TrustZone, and implement the fingerprint scanning UI in the TrustZone as well.
![Page 55: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/55.jpg)
How Apple Solves It
55
Fingerprint data encrypted using a key pre-shared by
sensor and TrustZone
![Page 56: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/56.jpg)
Outline
56
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 57: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/57.jpg)
Fingerprint Settings
◆ How can you attest that only 3 fingerprints were registered?
57
![Page 58: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/58.jpg)
Fingerprint Authorization Framework with TrustZone
58
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
![Page 59: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/59.jpg)
Fingerprint Authorization Framework with TrustZone
59
App
Kernel Space
TrustZoneDriver
Hardware
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone Daemon
Monitor TrustZone Microkernel
Fingerprint Trustlet SPI Driver
User Space
Secure Key Store
![Page 60: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/60.jpg)
Fingerprint DB Manipulating
60
EncryptedFingerprint (Feature) DB
FingerprintService
TrustZone
![Page 61: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/61.jpg)
Fingerprint Backdoor
◆ TrustZone just scans a fingerprint and matches it against encrypted fingerprints fed from the normal world◆ It knows nothing about the number of fingerprints stored by the normal world
◆ An attacker can tamper the normal world framework to stealthily pre-embed special fingerprint blob (maybe fake)◆ So he/she can unlock the device or authorize other operations◆ Leave no explicit traces
61
![Page 62: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/62.jpg)
Fingerprint Backdoor
It is usually the Settings app that displays the registered fingerprint number to the users. ◆For example, on some devices, attacker with root privilege can modify the enrolledFingerprintNummethod of the class com/android/settings/fingerprint/FingerprintSettings in SecSettings.apk.
◆He/she can change the return value of getEnrolledFingers to be n-m, where n is the actual registered fingerprint number and m is the number of fingerprints pre-embedded by the attacker.
62
![Page 63: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/63.jpg)
Fingerprint Backdoor
◆ Note that replacement of the Settings app (a system app) requires disabling the system signature checking.
◆ Most devices enforce the system signature checking based on the compareSignaturesmethod in the class com/android/server/pm/PackageManagerService implemented in /system/framework/services.jar. It will return zero if signature match, and non-zero otherwise.
◆ Therefore, one can modify this method to always return zero, so that the system signature checking will always success.
63
![Page 64: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/64.jpg)
64
Demo!
Fingerprint Backdoor
![Page 65: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/65.jpg)
Outline
65
❖ Design of Android Fingerprint Frameworks➢ Fingerprint Recognition➢ Mobile Fingerprint Frameworks
❖ System Attacks against Fingerprints➢ Confused Authorization Attack➢ Unsecure Fingerprint Data Storage➢ Fingerprint Sensor Spying Attack➢ Backdoor of Pre-embedding Fingerprints
❖ Discussion
![Page 66: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/66.jpg)
Key Takeaways
◆ Mobile devices with fingerprint sensors are more and more popular
◆ But they still have severe security challenges, such as◆ Confused Authorization Attack◆ Unsecure Fingerprint Data Storage◆ Fingerprint Sensor Spying Attack◆ Backdoor of Pre-embedding Fingerprints
◆ Such security flaws can lead fingerprint leakages
◆ Industry should pay more attention to audit existing design and implementations of fingerprint frameworks
66
![Page 67: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/67.jpg)
◆ Stick to mobile device vendors with timely patching/upgrading to the latest version (e.g. Android Lollipop), and always keep your device up to date
◆ Always install popular apps from reliable sources
◆ Enterprise/government users should seek for professional services to get protections against advanced targeted attacks
◆ To provide a better level of protection the end-user should NOT root their device if unnecessary, rooting a device will exploit a device to unknown risks
67
Suggestions to Mobile Users
![Page 68: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/68.jpg)
◆ Mobile device vendors should improve the security design of the fingerprint auth framework◆ Improved recognition algorithm against fake fingerprint attacks◆ Better protection of both fingerprint data and the devices◆ Differentiating authorization with authentication
◆ The existing fingerprint auth standard should be further improved to provide more detailed and secured guidelines for developers to follow
◆ Given a security standard, vendors still need professional security vetting/audits to enforce secure implementations
68
Suggestions to Mobile Vendors
![Page 69: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/69.jpg)
➢ Actually all the four vulnerabilities/attacks described here are commonly applicable to ALL the fingerprint based authentication/authorization platforms.
➢ For example, many high-end laptops equip fingerprint scanners to authenticate and authorize user login.
Further Suggestions
Image from: http://www.bootic.com/lenovo/electronics/computers/laptops/lenov o-3000- n200
69
![Page 70: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/70.jpg)
➢ For external fingerprint scanners used for identity recognition (e.g. in the custom house, immigration office, and the DMV), door access control, or money transaction in banks, the situation is similar.
➢ So we suggest that the fingerprint auth framework for ALL platforms should also be improved to better protect fingerprint data and sensor (and provide defense of any other attacks described in this paper if applicable).
Further Suggestions (Cont.)
70
![Page 71: FingerprintsOn*Mobile*Devices:* Abusing*And*Leaking · PDF fileFunctionalities%AssociatedwithFingerprints Authentication System*screen*unlock Authentications*in*FIDO*Alliance*services](https://reader035.vdocuments.site/reader035/viewer/2022070607/5a9fd8087f8b9a67178d63db/html5/thumbnails/71.jpg)
Q & AFor more details, please refer to our whitepaper:
Fingerprints On Mobile Devices: Abusing And LeakingY. Zhang, Z. Chen, H. Xue, and T. Wei