Bugs in Qualcomm chips leaked private data from Samsung and LG phones

Bugs in Qualcomm chips leaked private data from Samsung and LG phones

Researchers have disclosed a set of vulnerabilites affecting Qualcomm chipsets that could allow a potential attacker to steal critical information.

The findings — published by cybersecurity vendor Check Point Research — reveal the ‘secure world’ present in Qualcomm CPUs, that powers most Android phones, suffer from a flaw which may “lead to leakage of protected data, device rooting, bootloader unlocking, and execution of undetectable APTs [Advanced Persistent Threats].”

The findings were originally revealed by the company at REcon Montreal earlier this June, a computer security conference with a focus on reverse engineering and advanced exploitation techniques.

Qualcomm has since issued fixes for all the flaws after they were responsibly disclosed by the company. Samsung and LG have applied the patches to their devices, while Motorola is said to be working on a fix.

“Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told TNW. “The vulnerabilities publicized by Check Point have been patched, one in early October 2019 and the other in November 2014. We have seen no reports of active exploitation, though we encourage end users to update their devices with patches available from OEMs.

The disclosure comes months after Qualcomm patched a separate vulnerability that enabled a bad actor to extract private data and encryption keys that are stored in the chipset‘s secure world.

Trusted Execution Environment

Chips from Qualcomm come with a secure area inside the processor called a Trusted Execution Environment (TEE) that ensures confidentiality and integrity of code and data.

This hardware isolation — dubbed Qualcomm Trusted Execution Environment (QTEE) and based on ARM TrustZone technology — enables the most sensitive of data to be stored without any risk of being tampered.

Furthermore, this secure world provides additional services in the form of trusted third-party components (aka trustlets) that are loaded and executed in the TEE by the operating system running in TrustZone — called the trusted OS.

Trustlets act as the bridge between the ‘normal’ world — the rich execution environment where the device’s main operating system (e.g. Android) resides — and the TEE, facilitating data movement between the two worlds.

Trusted World holds your passwords, credit card information for mobile payment, storage encryption keys, and many others,” Check Point researcher Slava Makkaveev told TNW. “Trusted Environment is the last line of defence. If a hacker compromised trusted OS, nothing can stop your sensitive data from being stolen.”

Credit: Qualcomm
The Qualcomm Trusted Execution Environment

Qualcomm notes that without having access to the device hardware keys, it’s impossible to access the data stored in QTEE unless it’s intentionally exposed.

But this four-month long research shows evidence to the contrary, thereby proving that the TEE is not as impenetrable as previously thought.

A fuzzing-based vulnerability research

To do so, Check Point researchers leveraged a technique called fuzzing — an automated testing method that involves providing random data as inputs to a computer program to cause it to crash, and therefore, identify unexpected behavior and programming errors that could be exploited to get around security protections.

The fuzzing targeted the trustlet implementation by Samsung, Motorola, and LG — specifically the code that was responsible for verifying the integrity of the trustlets — uncovering multiple flaws in the process.

The vulnerabilities, the researchers said, could allow an attacker to execute trusted apps in the normal world, load a patched trusted app into the secure world, and even load trustlets from another device.

Although TEEs present a new attack frontier, there’s no evidence that these vulnerabilities were exploited in the wild. But Makkaveev says TEEs are a very promising attack target.

“Any attack to TrustZone is just a way to gain privileges on a mobile device and get access to a protected data,” Makkaveev told TNW. “It means that in real world such attack will be used as part of an exploits chain which starts from installing of a malicious app to the device or clicking a link on outdated or compromised browser.”

Read next: This award-winning coffee machine brings barista-level brewing to your home for under $75