Fingerprints on Mobile Devices: Abusing and Leaking

Black Hat USA 2015

Presented by: Tao Wei, Yulong Zhang
Date: Thursday August 06, 2015
Time: 12:10 - 13:00
Location: Mandalay Bay GH

Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities. Thus, the leakage of fingerprints is irredeemable. It will be even a disaster if the attackers can remotely harvest fingerprints in a large scale.

In this talk, we will reveal some severe issues with the current Android fingerprint frameworks that have long been neglected by vendors and users. We will provide in-depth security analysis of the popular mobile fingerprint authentication/authorization frameworks, and discuss the security problems of existing designs, including (1) the confused authorization attack that enables malware to bypass pay authorizations protected by fingerprints, (2) TrustZone design flaws and fingerprint sensor spying attack to harvest fingerprints, (3) pre-embedded fingerprint backdoors, etc. We will show live demos, such as hijacking mobile payment protected by fingerprints, and collecting fingerprints from popular mobile devices. We will also provide suggestions for vendors and users to better secure the fingerprints.

Yulong Zhang

Yulong Zhang is currently working at FireEye conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats.

Tao Wei

Tao Wei is a senior staff research scientist at FireEye Inc. Prior to joining FireEye, he was an associate professor at Peking University and a visiting project scientist at UC Berkeley. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security. He led his team to publish the first 4 papers from China at IEEE S&P; (Oakland), the top-tier academic security conference. He also led the team to win the special recognition award of the Bluehat prize contest 2012 by proposing a high-performance software hardening approach. Now he leads the mobile security research team at FireEye to discover mobile vulnerabilities, identify malwares, and prevent privacy leakage.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats