Skip to content

auth_attempted D-Bus signal broadcasts biometric similarity score to any local listener #76

Description

@tyvsmith

Finding

The auth_attempted D-Bus signal broadcasts the biometric similarity score to any local listener. The daemon emitted an auth_attempted (AuthAttempted) signal whose payload included the raw cosine similarity score, and the bus policy did not deny signal reception in the default context — so any local user could dbus-monitor --system and read the score of every auth attempt.

Impact / attack scenario

The raw similarity score is a spoof-tuning oracle. An attacker iterating on a presentation attack (photo, mask, replay) can watch the exact score their attempt produced against the enrolled template and hill-climb toward the recognition threshold, dramatically shortening the search for a working spoof — all without any privilege, just by listening on the system bus. Legitimate consumers only need matched + user; the score should be dropped from the payload and signal reception denied by default to non-privileged callers.

Where it lives

  • crates/facelock-cli/src/commands/daemon.rs — signal emit and declaration
  • dbus/org.facelock.Daemon.conf — bus policy (no default signal-receive deny)

How it was found

Internal security review, July 2026 (Plan 06, signal-leak finding).

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity finding

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions