CVE-2019-9196 in Mobile Liveness SDK
Summary
by MITRE
The Face authentication component in Aware mobile liveness 2.2.1 sdk 2.2.0 for Knomi allows a Biometrical Liveness authentication bypass via parameter tampering of the /knomi/analyze security_level field.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/21/2023
The vulnerability identified as CVE-2019-9196 resides within the Face authentication component of the Aware mobile liveness SDK version 2.2.1 and 2.2.0 for Knomi devices. This security flaw specifically targets the biometric liveness detection mechanisms that are designed to prevent fraudulent authentication attempts using static images or videos rather than actual human subjects. The vulnerability manifests through improper input validation and sanitization of the security_level parameter within the /knomi/analyze endpoint, which is critical for determining the authentication strength required for successful user verification.
The technical implementation of this vulnerability stems from insufficient parameter validation within the mobile SDK's authentication flow. Attackers can manipulate the security_level field to bypass the intended liveness detection requirements by setting the parameter to a lower security level or removing it entirely from the request. This parameter tampering allows malicious actors to circumvent the biometric liveness checks that should verify the authenticity of the presented biometric data. The flaw represents a classic case of insecure parameter handling where the application trust the client-side input without proper validation, enabling an attacker to modify authentication parameters that should remain protected and immutable during the verification process.
The operational impact of this vulnerability is significant as it undermines the fundamental security premise of biometric authentication systems. When successfully exploited, the vulnerability allows unauthorized access to systems protected by liveness detection, potentially enabling identity theft, account takeover, and unauthorized system access. The bypass occurs at the authentication decision point where the system should be enforcing strict liveness requirements but instead accepts manipulated parameters that reduce or eliminate the security checks. This creates a persistent risk for organizations relying on the Knomi SDK for secure authentication in mobile applications, particularly in financial services, healthcare, and government sectors where biometric security is paramount.
Organizations utilizing the affected Aware mobile liveness SDK should implement immediate mitigations including parameter validation on the server-side to ensure that the security_level field cannot be tampered with during authentication requests. The recommended approach involves implementing strict input validation that checks parameter values against predefined acceptable ranges and ensuring that the authentication decision is made server-side rather than relying on client-side parameters. Additionally, implementing proper session management and request integrity checks can help prevent parameter tampering attacks. This vulnerability aligns with CWE-20, which describes improper input validation, and maps to ATT&CK technique T1550.002 for use of valid credentials and T1078 for valid accounts, as the attack enables unauthorized access through manipulated authentication parameters rather than traditional credential compromise methods.