Abstract

Currently, an increasing number of smartphones are adopting fingerprint verification as a method to authenticate their users. Fingerprint verification is not only used to unlock these smartphones, but also used in financial applications such as online payment. Therefore, it is very crucial to secure the fingerprint verification mechanism for reliable services. In this paper, however, we identify a few vulnerabilities in one of the currently deployed smartphones equipped with fingerprint verification service by analyzing the service application. We demonstrate actual attacks via two proof-of-concept codes that exploit these vulnerabilities. By the first attack, a malicious application can obtain the fingerprint image of the owner of the victimized smartphone through message-based interprocess communication with the service application. In the second attack, an attacker can extract fingerprint features by decoding a file containing them in encrypted form. We also suggest a few possible countermeasures to prevent these attacks.

Highlights

  • Recent advances in smartphone technologies enabled users to do various tasks using their smartphones

  • We expect that the findings we obtained through our analysis may be used as a general guideline to design a secure biometric verification service on smartphones

  • ARM Cortex-A series including Cortex-A7 processor embedded in Qualcomm Snapdragon CPU of VEGA Secret Note provide the device ID number in the Primary part number field in the Main ID register (MIDR) [21]

Read more

Summary

Introduction

Recent advances in smartphone technologies enabled users to do various tasks using their smartphones. We disclose the vulnerabilities in the fingerprint recognition service of VEGA Secret Note by analyzing the service application and demonstrate possible attacks against this service. The second vulnerability was already addressed through a patch, and the vendor commented that the first vulnerability will be addressed in the upcoming version.) VEGA Secret Note is an Android-based smartphone with a Qualcomm Snapdragon CPU (Krait 400), 3 GB RAM, and a 5.9-inch IPS touch display It is equipped with an FPC fingerprint sensor on its back. Our first attack is to enable a malicious application to acquire the fingerprint image of the owner of the victimized smartphone by accessing the memory space that the fingerprint recognition service application uses to temporarily store the image.

Preliminaries
Handler Call handleMessage with Message object
Vulnerability Analysis
Handler
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call