Researchers have uncovered a side-channel attack that enables a bad actor to extract sensitive data from Qualcomm’s secure keystore. The critical flaw impacts most modern Android devices that use Qualcomm chips.
The issue stems from an issue in Qualcomm technology, dubbed the Qualcomm Secure Execution Environment (QSEE), designed to guard cryptographic keys on devices. As a result of exploiting the flaw, attackers can pluck “sensitive data,” including private encryption keys, passwords and more, from Qualcomm-powered devices.
“Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware,” according to NCC Group consultant Keegan Ryan, who discovered the attack, in a Tuesday post. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA [Elliptic Curve Digital Signature Algorithm] keys.”
Up to 36 Qualcomm chipsets are impacted – including popular Snapdragon models 820, 835, 845 and 855, which currently are used by several Android devices in the market. Most modern Android mobile devices are impacted: Including the Samsung Galaxy Phone, Sony Xperia, Xiaomi Mi, LG V50, ZTE Axon and more.
QSEE splits data execution on cell phones into a “secure world and a normal world” – sensitive data is placed in the secure world, while other data, like Android OS, can run in the normal world.
This process has two implications: It means that only the application that placed the data in the secure environment can reach that data; and it also means that even if other parts of the device is attacked, the sensitive data is still safe.
However, the two worlds often share the same microarchitectural structures, said Ryan – meaning a bad actor could use a side-channel attack to sniff out memory cache samples, and eventually piece those samples to piece together private keys.
Using a memory cache analyzer called Cachegrab, Ryan was able to do just that: He used a rooted Nexus 5X device (powered by the Qualcomm Snapdragon 808) and found a point on the QSEE that was sending out enough data to give him the ability to recover 256-bit ECDSA keys.
Importantly, the attacker must have root access to the device – which could be achieved through first infecting the device with malware, according to Ryan.
Once exploited, the flaw could also lead to wider implications for embedded devices that also use the Qualcomm technology, Ryan told Threatpost.
“Extracting these keys could make attacks on the manufacturer’s infrastructure easier to perform, or allow someone to create counterfeit devices,” he said. “Someone could use these counterfeits to gain access to services without actually paying for the authentic physical device. Because the counterfeits use the same (stolen) key pair as legitimate devices, the manufacturer can no longer distinguish between which requests come from legitimate devices, and which ones come from fakes.”
Qualcomm has issued a patch for the flaw (CVE-2018-11976), which was just publicly disclosed in April. The flaw was first reported to Qualcomm March 19, 2018, and customers were notified Oct. 1, 2018. Android also disclosed a patch for the flaw in its April update.
“Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told Threatpost. “We commend the NCC Group for using responsible disclosure practices surrounding their security research. Qualcomm Technologies issued fixes to OEMs late last year, and we encourage
end users to update their devices as patches become available from OEMs.”
Researchers said that Qualcomm has notified impacted OEMs and carriers, “triggering the start of a six-month re-certification process.” But that doesn’t mean that all Android OEMs have patched their devices: Users should ensure that their devices are running the most recent firmware version, said Ryan.
“Developers really need to take extra care to protect their apps and operate under the assumption that their app will be installed on and launched on some number of insecure devices,” said Sam Bakken, senior product marketing manager at OneSpan, in an email. “Thankfully, technology such as mobile app shielding can provide such protection, fortifying an app in potentially hostile environments — and in many cases without slowing down time-to-market.”
Ryan told Threatpost that side channel attacks are gaining increasing attention in the academic and research community over the past couple years.
“I expect this trend to continue,” he told Threatpost. “As devices become more secure against more well-known and easily exploited vulnerabilities like buffer overflows, attackers will have to turn to more sophisticated techniques to steal the information they are after. However, this sort of research demonstrates the risks and threats that manufacturers face, and we have seen them respond with more advanced defenses.”