Bugs in Qualcomm chips leaked private data from Samsung and LG phones
November 6, 2019
Researchers have disclosed a set of vulnerabilites affecting Qualcomm chipsets that could allow a potential attacker to steal critical information.
The findings — published by cybersecurity vendor Check Point Research — reveal the ‘secure world’ present in Qualcomm CPUs, that powers most Android phones, suffer from a flaw which may “lead to leakage of protected data, device rooting, bootloader unlocking, and execution of undetectable APTs [Advanced Persistent Threats].”
Join us on Dec. 11 for the ultimate team outing
The findings were originally revealed by Checkpoint at REcon Montreal earlier this June, a computer security conference with a focus on reverse engineering and advanced exploitation techniques.
Qualcomm has since issued fixes for all the flaws after they were responsibly disclosed by the company. Samsung and LG have applied the patches to their devices, while Motorola is said to be working on a fix.
The disclosure comes months after Qualcomm patched a vulnerability that enabled a bad actor to extract private data and encryption keys that are stored in the chipset’s secure world.
Chips from Qualcomm come with a secure area inside the processor called a Trusted Execution Environment (TEE) that ensures confidentiality and integrity of code and data.
This hardware isolation — dubbed Qualcomm Trusted Execution Environment (QTEE) and based on ARM TrustZone technology — enables the most sensitive of data to be stored without any risk of being tampered.
Furthermore, this secure world provides additional services in the form of trusted third-party components (aka trustlets) that are loaded and executed in TEE by the operating system running in TrustZone — called the trusted OS.
Trustlets act as the bridge between the ‘normal’ world — the rich execution environment where the device’s main operating system resides — and the TEE, facilitating data movement between the two worlds.
“Trusted World holds your passwords, credit card information for mobile payment, storage encryption keys, and many others,” Check Point researcher Slava Makkaveev told TNW. “Trusted Environment is the last line of defence. If a hacker compromised trusted OS, nothing can stop your sensitive data from being stolen.”
Qualcomm notes that without having access to the device hardware keys, it’s impossible to access the data stored in QTEE unless it’s intentionally exposed.
But this four-month long research shows evidence to the contrary, thereby proving that the TEE is not as impenetrable as previously thought.
To do so, Check Point researchers leveraged a technique called fuzzing — an automated testing method that involves providing random data as inputs to a computer program to cause the program to crash, and therefore, identify unexpected behavior and programming errors that could be exploited to get...