Security Notice - Statement on "Fingerprints on Mobile Devices: Abusing and Leaking" at the Black Hat Conference
- Initial Release Date: 2015-08-08
- Last Release Date: 2015-08-19
Huawei noticed that Yulong Zhang and Tao Wei from the Fireye team delivered a presentation "Fingerprints on Mobile Devices: Abusing and Leaking" at the Black Hat Conference on August 7, 2015. They pointed out the information leak vulnerability in current Android fingerprint frameworks. Huawei has started an investigation immediately after learning about the vulnerability.
The investigation has been completed. All Huawei mobile phones use the TrustZone technology to protect fingerprints and differ from mobile phones provided by other vendors in terms of design and implementation. Huawei mobile devices process and match fingerprints in the Trust Execution Environment (TEE) of the TrustZone. The fingerprint module is securely stored in the TrustZone, and external interfaces for reading data from the fingerprint module are prohibited. Therefore, Huawei mobile phones are not affected by this vulnerability.
Fireye mentioned the TrustZone vulnerability which is disclosed in another subject "Attacking Your Trusted Core: Exploiting Trustzone on Android" on the Black Hat Conference. This vulnerability was discovered by Di Shen, a security researcher from Qihoo360, and reported to Huawei before the conference. Huawei fixed this vulnerability and released an SN and SA.
For details about the SN, visit http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-433719.htm
For details about the SA, visit http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-432799.htm
The investigation has been completed. All Huawei mobile phones use the TrustZone technology to protect fingerprints and differ from mobile phones provided by other vendors in terms of design and implementation. Huawei mobile devices process and match fingerprints in the Trust Execution Environment (TEE) of the TrustZone. The fingerprint module is securely stored in the TrustZone, and external interfaces for reading data from the fingerprint module are prohibited. Therefore, Huawei mobile phones are not affected by this vulnerability.
Fireye mentioned the TrustZone vulnerability which is disclosed in another subject "Attacking Your Trusted Core: Exploiting Trustzone on Android" on the Black Hat Conference. This vulnerability was discovered by Di Shen, a security researcher from Qihoo360, and reported to Huawei before the conference. Huawei fixed this vulnerability and released an SN and SA.
For details about the SN, visit http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/hw-433719.htm
For details about the SA, visit http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-432799.htm
2015-08-19 UPDATED Added the investigation result.
2015-08-08 INITIAL
2015-08-08 INITIAL
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism. Please report to Huawei PSIRT at psirt@huawei.com if you find any security vulnerability of Huawei products.