Security researchers say that they have found vulnerabilities in the supposedly impenetrable 'secure world' storage vault in Android phones that could allow access to payment credentials.
The result of a four-month study by Check Point Research into the isolated 'secure world' Trusted Execution Environment (TEE), backed by ARM 'TrustZone' hardware-based Corex-A processor access controls and widely implemented on Android-based devices, suggests a "gaping hole" exists that could enable an attacker to access mobile payment data.
The Qualcomm Secure Execution Environment (QSEE) is the most popular of the TEE implementations for Android-powered smartphones, being present in just under half of all devices globally. It is also widely regarded as the safest component of a smartphone; such ARM TrustZone hardware-based security features reduce the attack surface when compared to software only secure data storage solutions. It is where sensitive data assets can be stored and trusted code executed. It's not as safe and secure as it should be, found Check Point researchers.
In "The Road to Qualcomm TrustZone Apps Fuzzing" report, Check Point security researcher Slava Makkaveev warns that a "vulnerability in a component of TEE may lead to leakage of protected data, device rooting, bootloader unlocking and execution of undetectable APTs". By building a feedback-based fuzzing platform, a quality assurance technique used to find coding errors by inputting gigantic amounts of random data to crash the tested application, Check Point says it uncovered a number of vulnerabilities. These included vulnerabilities in trusted code implemented by Samsung (including the latest Galaxy S10), Motorola and LG. This was all in code sourced by Qualcomm itself, the researcher say, leading to the conclusion that "programmers of all vendors and Qualcomm made mistakes in their code".
Having responsibly disclosed its findings to all the parties concerned, Check Point says that Samsung and LG patched the vulnerabilities. Motorola assured that a patch would be forthcoming, but Check Point says it is yet to do so. SC Media UK reached out to Motorola for a statement but had not heard back before publication.
A Qualcomm spokesperson told SC Media UK that "providing technologies that support robust security and privacy is a priority for Qualcomm. The vulnerabilities publicised by Check Point have been patched, one in early October 2019 and the other in November 2014. We have seen no reports of active exploitation, though we encourage end users to update their devices with patches available from OEMs."
It is important to note, a Check Point spokesperson says, "on 13 November, a day before publishing this research blog, Qualcomm acknowledged our findings and patched the vulnerability (CVE-2019-10574)". As far as the older, 2014 flaw (CVE-2014-9935), the spokesperson continues, "if the patch was sent to OEMs then I guess it relies on OEMs applying the patch".
Jonathan Shimonovich, group manager - mobile threat detection at Check Point, told SC Media UK: "In this research we were able to compromise the TrustZone environment using fuzzing techniques. For an external attacker to do this, they would need to penetrate the device first. The two most common and widespread methods of doing this are via a malicious link, or by installing a malicious application. So enterprises should use on-device mobile security that protects their devices against malicious links, downloads or apps."
"It's highly likely that the software that reliably accessed the ARM TrustZone was never looked at too deeply until now by Checkpoint's researchers," Ian Thornton-Trump, cyber-threat intelligence expert and CompTIA global faculty member, told SC Media UK. "This is a good thing as Checkpoint's research has identified the flaws before (we hope) they have been weaponised or used in the wild by malicious actors."
Thornton-Trump draws a comparison to Spector and Meltdown issues to highlight the issues that exist in the murky world between hardware and software. "This murky world has been gaining increasing attention of late," he adds, "and it's not surprising to me that the software layer sitting in-between hardware and software has started providing an interesting attack surface for researchers to explore."