Qualcomm Chip Flaws Let Hackers Steal Private Data From Android Devices

Posted by & filed under Security Alerts.

Hundreds of millions of devices, especially Android smartphones and tablets, using Qualcomm chipsets, are vulnerable to a new set of potentially serious vulnerabilities.

According to a report cybersecurity firm CheckPoint shared, the flaws could allow attackers to steal sensitive data stored in a secure area that is otherwise supposed to be the most protected part of a mobile device.

The vulnerabilities reside in Qualcomm’s Secure Execution Environment (QSEE), an implementation of Trusted Execution Environment (TEE) based on ARM TrustZone technology.

Also known as Qualcomm’s Secure World, QSEE is a hardware-isolated secure area on the main processor that aims to protect sensitive information and provides a separate secure environment (REE) for executing Trusted Applications.

Along with other personal information, QSEE usually contains private encryption keys, passwords, credit, and debit card credentials.

Since it is based on the principle of least privilege, Normal World system modules like drivers and applications can not access protected areas unless necessary—even when they have root permissions.

“In a 4-month research project, we succeeded in reverse Qualcomm’s Secure World operating system and leveraged the fuzzing technique to expose the hole,” researchers told.

“We implemented a custom-made fuzzing tool, which tested trusted code on Samsung, LG, Motorola devices,” which allowed researchers to find four vulnerabilities in trusted code implemented by Samsung, one in Motorola and one in LG.

 

  • dxhdcp2 (LVE-SMP-190005)
  • sec_store (SVE-2019-13952)
  • authnr (SVE-2019-13949)
  • esecomm (SVE-2019-13950)
  • kmota (CVE-2019-10574)
  • tzpr25 (acknowledged by Samsung)
  • prov (Motorola is working on a fix)

According to researchers, the reported vulnerabilities in the secure components of Qualcomm could allow an attacker to:

  • execute trusted apps in the Normal World (Android OS),
  • load patched trusted app into the Secure World (QSEE),
  • bypassing Qualcomm’s Chain Of Trust,
  • adapt the trusted app for running on a device of another manufacturer,
  • and more.

“An interesting fact is that we can load trustlets from another device as well. All we need to do is replace the hash table, signature, and certificate chain in the .mdt file of the trustlet with those extracted from a device manufacturer’s trustlet,” researchers said.

In short, a vulnerability in TEE component leaves devices vulnerable to a wide range of security threats, including the leakage of protected data, device rooting, bootloader unlocking, and execution of undetectable APT.

The vulnerabilities also affect a wide range of smartphone and IoT devices that use the QSEE component to secure users’ sensitive information.

Check Point Research responsibly disclosed its findings to all affected vendors, out of which Samsung, Qualcomm, and LG have already released a patch update for these QSEE vulnerabilities.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.