CVE-2020-7958 : Security Advisory and Response

OnePlus 7 Pro devices before 10.0.3.GM21BA are affected by a vulnerability that allows a privileged user to obtain bitmap images from the fingerprint sensor due to leftover debug code.

Understanding CVE-2020-7958

This CVE identifies a security issue on OnePlus 7 Pro devices that could compromise fingerprint data.

What is CVE-2020-7958?

The vulnerability allows a privileged user to extract bitmap images from the fingerprint sensor due to debug code remnants.

The Impact of CVE-2020-7958

The Trusted Execution Environment (TEE) fails to protect identifiable fingerprint data, exposing it to potential misuse.

Technical Details of CVE-2020-7958

The technical aspects of the vulnerability are as follows:

Vulnerability Description

The firmware on OnePlus 7 Pro devices enables a privileged user to access bitmap images from the fingerprint sensor.

Affected Systems and Versions

OnePlus 7 Pro devices before version 10.0.3.GM21BA.

Exploitation Mechanism

The Trusted Application (TA) on the device supports unnecessary commands, allowing an attacker to manipulate the TA to extract fingerprint images.

Mitigation and Prevention

Protect your device and data with the following measures:

Immediate Steps to Take

Update OnePlus 7 Pro devices to version 10.0.3.GM21BA or later.
Avoid granting unnecessary root access to prevent exploitation.

Long-Term Security Practices

Regularly update device firmware to patch known vulnerabilities.
Implement strong access controls to limit privileged user actions.
Monitor and restrict commands sent to the Trusted Application (TA) to prevent unauthorized access.
Consider biometric data protection measures beyond system defaults.

Patching and Updates

Stay informed about security updates from OnePlus and apply them promptly to safeguard against potential exploits.