Vulnerabilities in Qualcomm Chips Can Steal Personal Data from Android Devices
Problems are contained in the Qualcomm Secure Execution Environment.
Researchers at CheckPoint have discovered vulnerabilities in Qualcomm processors used on Android devices. Their exploitation allows attackers to steal confidential data stored in a protected area.
The challenges are in the Qualcomm Secure Execution Environment (QSEE), a Trusted Execution Environment (TEE) based on ARM TrustZone technology. QSEE is an isolated hardware protected area in the processor designed to protect sensitive information and provides a separate secure environment (REE) for running trusted applications. In addition to personal information, QSEE usually contains private encryption keys, passwords, and payment card data.
Because QSEE operates on the principle of least privilege, Normal World system modules such as drivers and applications cannot access protected areas unnecessarily, even if they have superuser privileges.
As part of a four-month research project, experts used a specialized fuzzing tool to verify trusted code on Samsung, LG, and Motorola devices. Researchers have identified a total of four vulnerabilities in trusted code implemented by Samsung, and one each in Motorola and LG codes.
Check Point published a partial list of components in which vulnerabilities were discovered: dxhdcp2 (LVE-SMP-190005), sec_store (SVE-2019-13952), authnr (SVE-2019-13949), esecomm (SVE-2019-13950), kmota (CVE-2019-10574), tzpr25, prov.
According to experts, the exploitation of vulnerabilities allows an attacker to run trusted applications in Normal World (Android OS), upload patched trusted applications to QSEE, bypass Qualcomm's trust chain, adapt trusted applications to work on devices of another manufacturer, etc.
Simply put, problems in the TEE component make devices vulnerable to a wide range of threats, including leakage of protected data, device hacking, unlocking the bootloader, etc.