Experts found vulnerability in Qualcomm processors that endangers all Android-devices owners

Vulnerability in Qualcomm processors allows intruders extract from Trusted Execution Environments coding keys and other important data, write researchers from NCC Group.

Trusted Execution Environments (TEE) — is a protected area of central processor for code performance and data storage with the highest level of security. Earlier researchers tested TEE, but to relatively small extent.

In March 2019 Keegan Ryan, safety researcher from NCC Group, decided to test realization of ECDSA signature in certain version of Qualcomm Secure Execution Environment (QSEE) and finally discovered a series of dangerous vulnerabilities that are united under single identifier CVE-2018-11976.

With the use of Cachgrab tool he managed to perform simultaneously several attacks on memory cash, extract cryptographic data and fully restore 256-bit closed encryption key from Qualcomm hardware keys’ storage.

“We found two locations in the multiplication algorithm which leak information about the nonce. Both of these locations contain countermeasures against side-channel attacks, but due to the spatial and temporal resolution of our microarchitectural attacks, it is possible to overcome these countermeasures and distinguish a few bits of the nonce. These few bits are enough to recover 256-bit ECDSA keys,” – Ryan said.

Researcher repeated his results in experiment on Nexus 5X that was powered by Android, but in Qualcomm confirmed that vulnerability involves more than 30 other different processors (full list can be found here). Concluding, issue touches a broad spectrum of smartphones and tablets and almost every Android-powered device has a chance to encounter vulnerability.

Researchers reported Qualcomm about vulnerability in March 2018, since that time company presented firmware updates for all affected processors and notified digital devices producers. Google improved vulnerability in its devices this month after release of April Android updates.

Good news is that for application of CVE-2018-11976 attacker should get rights of superuser on the device. Bad news is this can be done with already existing and quite spread malware that can be found even on Google Play Market.

Source: https://www.zdnet.com/