On the Nose: Bypassing Huawei's Fingerprint Authentication by Exploiting the TrustZone

After hundreds of vulnerabilities disclosed and countless roots of smartphones the landscape of privilege separation is changing on your mobile device. No longer is kernel compromise the end of the road for attackers attempting to find all the dark secrets stored on your smartphone. Now we have TrustZone, a technology introduced by ARM which provides the "Secure World". This "Secure World" is separated from the Android kernel which exists in the "Normal World". Many of the most sensitive operations on your phone are now managed by the TrustZone. These include DRM, fingerprint authentication, and secure file storage, leaving a malicious kernel unable to meddle with them.

This talk will demonstrate that despite the enhanced security architecture, a persistent attacker can still prevail. By chaining a number of memory corruption vulnerabilities the author will show how a lowly untrusted app on a Huawei device can compromise the kernel, followed by a trusted app, and eventually the TrustZone kernel itself. Using this access the author will show how the fingerprint trusted module can be patched to accept any fingerprint or even any nose. A demo with nose unlocking will be included.

Nick Stephens

Nick is a member of the Shellphish CTF team and employed by Raytheon CSI as a vulnerability researcher. Nick has published papers on automated bug finding and exploitation as well Android security, and competed in the DARPA Cyber Grand Challenge with team Shellphish.