Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrustZone Downgrade Attack Opens Android Devices To Old Vulnerabilities (bleepingcomputer.com)

Posted by BeauHD on from the up-to-date dept.

An anonymous reader writes from a report via Bleeping Computer: An attacker can downgrade components of the Android TrustZone technology -- a secure section of smartphone CPUs -- to older versions that feature known vulnerabilities. The attacker can then use previously published exploit code to attack up-to-date Android OS versions. The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6. They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) -- Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone. The research paper is available here, and one of the researcher's authors explains the attack chain in an interview here.

45 comments

  1. Oh yeah by Anonymous Coward · · Score: -1

    Android is so much more secure than iPhone!

    NOT! /Borat

    1. Re:Oh yeah by Anonymous Coward · · Score: 0

      Security is an illusion and nothing is secure

    2. Re:Oh yeah by Gr8Apes · · Score: 2

      And some things are less secure than others, sometimes fundamentally much less secure.

      --
      The cesspool just got a check and balance.
    3. Re:Oh yeah by Anonymous Coward · · Score: 0

      Android is so much more secure than iPhone!

      NOT! /Borat

      I realise the above post is flamebait, but I wish these posts would stop using the word Android.
      The vulnerability in this case has nothing to do with Android.

      It's an exploit targeting ARM hardware/firmware - nothing to do with Android.
      When you exploit the hardware of a platform, it doesn't matter what OS the platform is running - it is no longer secure.
      The same would be true of iOS or any other OS running on this Qualcom chipset.

      It's just a happenstance that most open devices run Android.
      if iOS was allowed to be run on third party hardware, many of these same exploits would apply.

    4. Re:Oh yeah by Anonymous Coward · · Score: 0


      if iOS was allowed to be run on third party hardware, many of these same exploits would apply.
      If my aunt had balls, she'd be my uncle. "Ifs" are meaningless here: in the security arena Android is failing, iOS wins.

    5. Re:Oh yeah by TheFakeTimCook · · Score: 1

      Android is so much more secure than iPhone!

      NOT! /Borat

      I realise the above post is flamebait, but I wish these posts would stop using the word Android.
      The vulnerability in this case has nothing to do with Android.

      It's an exploit targeting ARM hardware/firmware - nothing to do with Android.
      When you exploit the hardware of a platform, it doesn't matter what OS the platform is running - it is no longer secure.
      The same would be true of iOS or any other OS running on this Qualcom chipset.

      It's just a happenstance that most open devices run Android.
      if iOS was allowed to be run on third party hardware, many of these same exploits would apply.

      Apple run Apple's ARM SoCs. Yet this vulnerability doesn't exist. That's because Apple knows how to develop an ARM SoC, and Qualcomm evidently, er, doesn't.

      And ALL devices that run Qualcomm's ARM SoCs run Android.

    6. Re:Oh yeah by BronsCon · · Score: 1

      And ALL devices that run Qualcomm's ARM SoCs run Android.

      Which routers run Android? I was gonna ask which TVs, but there are actually some that do...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    7. Re:Oh yeah by Anonymous Coward · · Score: 0

      My point is you are blaming by name a part of the stack for a security issue seemingly arbitrarily. So you are either ignorant or a shill.
      You could just as well be saying Linux is failing, iOS wins.

    8. Re:Oh yeah by TheFakeTimCook · · Score: 1

      And ALL devices that run Qualcomm's ARM SoCs run Android.

      Which routers run Android? I was gonna ask which TVs, but there are actually some that do...

      Ok, most Routers run Embedded Linux, I assume.

      Didn't give that enough thought, obviously! ;-)

    9. Re:Oh yeah by BronsCon · · Score: 1

      I really need to start looking at who I'm replying to before submitting comments. That's twice this week I've replied to you without realizing it! ;)

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    10. Re:Oh yeah by TheFakeTimCook · · Score: 1

      I really need to start looking at who I'm replying to before submitting comments. That's twice this week I've replied to you without realizing it! ;)

      LOL!

      No worries! I do the same thing almost ALL the time... ;-) ...or does that mean that you would IGNORE my idiocy if you saw it was me? ;-P

    11. Re:Oh yeah by BronsCon · · Score: 1

      I'd just be less confused when I got email notification of your reply, I suppose.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  2. Mess with the best; Die like the rest by Anonymous Coward · · Score: 0

    Hack the planet!

    1. Re: Mess with the best; Die like the rest by Anonymous Coward · · Score: 0

      They're trashing our rights!

  3. Downgrade? by thejahn · · Score: 0

    So you can downgrade your phone to remove bugfixes and ilet it be exposed to known issues? Is there a point here I am missing?

    1. Re:Downgrade? by Anonymous Coward · · Score: 0

      So you can downgrade your phone to remove bugfixes and ilet it be exposed to known issues? Is there a point here I am missing?

      The point is that you can use the vulnerabilities to root the phone.

      I recall an older android exploit that installed additional unsafe software and used it's holes to gain root access.

    2. Re:Downgrade? by tsqr · · Score: 4, Informative

      The point is that you can use the vulnerabilities to root the phone.

      So you think the point is to use the vulnerabilities to root a phone that you had to root in order to install the vulnerability?

      Suggest you read the linked interview: "A successful exploit first needs to have the root privilege of the device (e.g., exploit another vulnerability), and then use this issue combined with other vulnerabilities to exploit the device," said the researcher."

    3. Re:Downgrade? by msauve · · Score: 5, Funny

      "A successful exploit first needs to have the root privilege of the device"

      So, the headline should really be "Researchers surprised that root privilege provides root privilege!"

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:Downgrade? by jbernardo · · Score: 1

      From what I understand, this attack besides needing root, only touches the DRM part. Widevine is mentioned. So, I guess that with this attack you'll be able to access stuff that you thought you had bought but had only rented, like movies. You'll just have to downgrade the widevine component to one that has documented vulnerabilities that let you access your data on your device.

    5. Re: Downgrade? by Anonymous Coward · · Score: 0

      Without vulnerabilities people would have literally no control over "their own" device.

    6. Re:Downgrade? by Anonymous Coward · · Score: 0

      Suggest you read the linked interview: "

      Hey, this is Slashdot. Nobody reads the articles.

    7. Re:Downgrade? by Anonymous Coward · · Score: 1

      Except downgrading the Trustzone will survive a reinstall of the ROM / Factory Reset.

      So you could have root on an older version of Android, downgrade the trustzone firmware, upgrade Android to a more secure version, then use the older trustzone firmware to bypass the newer Android version's security. Android can't do shit about it because the firmware runs before it does and as such can thwart any detection, or mitigation attempts Android might make.

      Where this could be real bad is in used phone sales. The attacker buys a vulnerable device, downgrades the trustzone, then sells the modified device to another person. Firmware won't get checked even by most trade in programs, so the attacker still has control over the device and can use it for all kinds of fraud or trolling.

      Yet another reason why "trust" means anything but in the IT industry. That and the fact that most of these issues are also paired with locked bootloaders so you're forced to trust a manufacturer will release an update for their broken "manufacturer trust" mechanism that you're now a potential victim of.

    8. Re:Downgrade? by Anonymous Coward · · Score: 0

      Do you really not understand?

      1. Backup phone

      2. Factory reset

      3. Unlock bootloader

      4. Tamper Trustzone

      5. Factory reset

      6. Lock bootloader

      7. Restore

      Does everything need to be spelled out for you? What is the point of Trustzone if it can be tampered with. Maybe you should go and do some reading on Trustzone technology and its purpose.

    9. Re:Downgrade? by swillden · · Score: 3, Interesting

      Do you really not understand?

      1. Backup phone

      2. Factory reset

      3. Unlock bootloader

      4. Tamper Trustzone

      5. Factory reset

      6. Lock bootloader

      7. Restore

      Does everything need to be spelled out for you? What is the point of Trustzone if it can be tampered with. Maybe you should go and do some reading on Trustzone technology and its purpose.

      Note that this sequence of operations won't work on most phones launched with Marshmallow or later.

      Step 2, factory reset, will clear a critical section of the replay-protected memory block (RPMB). That block stores the rollback protection status of Android Keymaster keys (Keymaster is a TrustZone -- or similar -- app that manages important cryptographic keys). Wiping it will make all such keys permanently unusable, cryptographically, and those keys are used to protect the device encryption keys.

      So, when you get to step 7 and restore, you'll be restoring data that is encrypted with keys that you cannot recover.

      If, however, you can tamper TrustZone in step 4 so that it, say, always generates the same, known, key for disk encryption, then give it to your target and wait for them to put sensitive data on it, then take it back, dump the flash and decrypt, then you can get the user's data. Oh, you'd also need to brute force the user's password, but that's not hard because phone passwords suck, and you could do it off-device.

      Alternatively, if you could rewrite the RPMB data between step 6 and 7, you could "reactivate" the keys, but that would require finding a way to read it before step 2.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Downgrade? by viperidaenz · · Score: 1

      In step 4 by "Tamper Trustzone" you mean "Load an old version of Trustzone, because there isn't a vulnerability in the verification, only that you can replace a new verified binary with an old verified binary"

      Same goes for the trustlet's this article is about, except a device update will overwrite the old trustlets.

  4. Attack by thejahn · · Score: 0

    Wait, I see Attack in the heading, as in some other entity forces the downgrade.

  5. Android is truly terrible... by Anonymous Coward · · Score: 0

    Windows Phone could not have been this bad.

    1. Re:Android is truly terrible... by Anonymous Coward · · Score: 0

      It was so much worse no one bought it.

  6. Rollback protection. by Greger47 · · Score: 4, Interesting

    I thought commonly used TrustZone firmwares do have revocation/rollback protection but the OEMs doesn't use it when upgrading the OS. E.g. they bundle a new Widevine version in the update but they don't actually revoke old vulnerable ones.

    As explored in depth by Google's Project Zero here:

    https://googleprojectzero.blog...

    Or is this a real bypass that allows installing a revoked trustlet? The article was light on details.

    / greger47

    1. Re:Rollback protection. by viperidaenz · · Score: 2

      It explains that when the same key pairs are used for new versions, the old ones can still be loaded.
      The vendors can change they keys with each version, but since it becomes much harder to manager, they don't.

  7. DACA by Anonymous Coward · · Score: 0

    DACA....is CACA

    1. Re:DACA by Boutzev · · Score: 0

      No it's CADA

  8. Fixed? by AmiMoJo · · Score: 3, Interesting

    From TFA:

    "We have already reported this vulnerability to the affected mobile vendors, and they have integrated patches in their latest updates, as well as fixes for newer device versions," Yue told Bleeping via email.

    Who? Which devices?

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Fixed? by DontBeAMoran · · Score: 3, Funny

      Here's a list of vendors not affected by this bug:
      - Apple
      - Microsoft

      --
      #DeleteFacebook
  9. Hurray!! by charlesTheLurker · · Score: 2

    This theoretically opens a way to Root ANY android phone. That could be Great.

    The main dangers to you as a smartphone user are your cellphone network carrier and the manufacturer of your phone. Both both of them have a direct interest in invading your privacy for money or to keep you captive to their machinery.

    Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain. Rooting your phone and installing a 3rd party Android build ( such as LineageOS ) goes a long way toward foiling this kind of carrier or OEM fuckery. It won't keep your carrier from examining your packet stream. but at least he won't be able to surveil you directly or install programs on your phone which you cannot remove. Because of this, many smartphone providers take steps to make rooting their devices difficult or impossible -- but this vulnerability might provide a way around all of them.

    --
    Not a web designer.
    1. Re:Hurray!! by triffid_98 · · Score: 3, Informative

      Sadly it does not...

      "A successful exploit first needs to have the root privilege of the device (e.g., exploit another vulnerability)"

    2. Re:Hurray!! by sexconker · · Score: 1

      Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain.

      No, it isn't.

      AOSP is open and free. Android is closed and not free.
      Further, Android being 100% secure won't fix this. This is an issue similar to Intel's fuck up with AMT. AMD uses ARM TrustZone bits in their processors as well. AMD calls it the PSP.

      As an end user, the only thing you should trust is the fact that your device is vulnerable and the powers that be know about it (and likely put the vulnerabilities there in the first place). Because fuck you.

  10. Treacherous by design by jabberw0k · · Score: 2, Funny

    Anyone who uses one of these devices -- designed from the get-go to spy on the user -- is a patsy, a mark, a fool. Free software, and free hardware, exists for a reason. Think about it.

    1. Re:Treacherous by design by DontBeAMoran · · Score: 2

      I went to the local computer store and asked him if he had free hardware.

      The guy kicked me out.

      --
      #DeleteFacebook
    2. Re:Treacherous by design by Anonymous Coward · · Score: -1

      Cool story, freetard.

    3. Re:Treacherous by design by Anonymous Coward · · Score: 0

      Says the guy with a secret kiddie porn collection.

  11. The real issue here by Anonymous Coward · · Score: 0

    The real issue here is that this allows backdooring of the TrustZone OS that passes integrity checks.

    Attacker replaces the Widevine trustlet with the old, vulnerable version, then leaves the rest of the phone and TrustZone OS alone. Now there's essentially a zero-footprint backdoor in the TrustZone OS that can be easily exploited later and nothing to show that the phone is vulnerable. Attacker can now repeatedly compromise it, take data and just reboot the phone to cover their tracks. Loads easier than developing a stealth implant that can pass integrity checks... :)

    1. Re: The real issue here by Anonymous Coward · · Score: 0

      No where does this say it's persistent over reboots. This is about loading old versions of "trustlets" not downgrading the "trust os".

    2. Re:The real issue here by viperidaenz · · Score: 1

      You can't load arbitrary TrustZone OS firmware, only old versions of it.

      Replacing the trustlet is not zero footprint, it's a file on the filesystem that the OS loads when it boots. You need to root the device to overwrite the file. Re-flashing the OS will undo your exploit. There's nothing stopping anyone from writing an "Exploit detection app" like the Stagefright detection apps, as all they'll need to do is read the version of the trustlets.

      There's also not much stopping a vendor from updating the TrustZone firmware to remove the old verification keys and release new trustlets signed with new keys.

  12. From the research article by XSportSeeker · · Score: 2

    Here:

    "To reproduce the procedure, the steps are as follows:
    1. Root the device.
    2. Remount the file system that contains the trustlets (e.g., “mount -o rw,remount /system”).
    3. Replace the current trustlets with the corresponding (vulnerable) ones from an
    older-version image.
    4. Use the device as normal."