A OnePlus 7 security flaw could have exposed your fingerprints to hackers
The vulnerability, discovered by Synopsys CyRC, has since been fixed. But given that it was out in the wild for a while, there’s a slim chance that some bad actors could have gained access to your bitmap fingerprint image.
Researchers at CyRC reverse engineered sections of a sensitive trustlet code, which allowed them to figure out how to gain user privileges and trigger actions that revealed the fingerprints.
In theory, these fingerprint details should be hidden in the secure Trusted Execution Environment (TEE) but CyRC found a way to invoke a series of actions in the Rich Execution Environment (REE) that granted access to the raw images.
Related: Best Android phones
As you can see, it’s a fairly complex process to gain access to this image, which involves a hefty amount of component manipulation and time-consuming code cracking. Because of this, CyRC has said your average Joe probably wouldn’t be able to steal your prints, but it’s still possible that “skilled adversaries (perhaps those most interested in defeating biometrics from afar) could carry out these attacks at significant expense.”
This isn’t the first time that people have raised eyebrows at the security of the OnePlus 7 fingerprint mechanism. A video from Max Tech shows how the fingerprint scanner can be hacked with a mix of tin foil and glue. It’s likely that your average Joe would be able to try out this method, but they’d have to get their hands on your phone first.
CyRC points out that stealing fingerprint data is potentially a lot more damaging than someone cracking your password, because you can’t simply swap in a different set of fingerprints if someone manages to hack into your phone. If issues like this become more widespread, it could mean that we have to stop relying on fingerprints as a security measure completely.
Related: Best mid-range smartphones
We’ve reached out to OnePlus for comment on the issue, and to ask how long the vulnerability was present on the handsets.