Qualcomm SOC Bug Disclosed, Critical Patch Needed

Qualcomm emerged as a mainstream microprocessor manufacturer since the explosion of the smartphone, tablets, and IoT (Internet-of-Things) devices. As one of the three leading ARM-based System-on-the-Chip vendors (the other two are Samsung and MediaTek), their SOCs are common on all mobile computing segment. Like its desktop/laptop counterparts, the SOC is not immune to hardware bugs. In fact, a SOC is not just the microprocessor, it includes the GPU, radio and memory modules that run the mobile device. It means there are many discrete parts which may go wrong.

That possibility has come to pass, as a flaw in the Qualcomm chipset’s Secure Execution Environment (QSEE) has been discovered. Documented under CVE-2018-11976, the flaw is expected to elevate towards critical level since Android updates are far and few in between for Non-Pixel devices, Pixel is Google’s own smartphone line. QSEE is an implementation of the Trusted Execution Environment, similar to its x86 counterpart, it is the hardware part that isolates data from the processor’s execution area. It is where the Android operating system operates free from any 3rd party apps accessibility. It is the area where passwords, encryption keys, and other internal Android data are stored.

The flaw was demonstrated by Keegan Ryan of the NCC Group, by using the ECDSA algorithm, it can bypass restriction which enables data to be stored in QSEE. However, by default, this cannot be done as it requires root access. By combining this exploit with another exploit that can root the Android device, the attack can become practically feasible.

“We examine ECDSA signing in Qualcomm’s implementation of Android’s hardware-backed keystore and identify a series of vulnerabilities that leak sensitive cryptographic information through shared microarchitectural structures. This should not be possible, since the hardware-backed keystore is supposed to prevent any sort of key extraction, even against an attacker who has fully compromised the Android OS,” explained Ryan.

As of this writing, there is still no known patch or firmware update that can potentially plug the hole. The good news is the demonstration only shows that the attacks are limited with how large the memory cache is. The 16-byte resolution is too small to pull a large enough instructional data to launch a continues attack against the SOC.

“We found two locations in the multiplication algorithm which leak information about the nonce. Both of these locations contain countermeasures against side-channel attacks, but due to the spatial and temporal resolution of our microarchitectural attacks, it is possible to overcome these countermeasures and distinguish a few bits of the nonce. These few bits are enough to recover 256-bit ECDSA keys,” added Ryan.

The actual disclosure of the hardware bug to Qualcomm was in March 2018, the chip-maker was given until October 2018 to actually create a firmware fix for it. The following SOCs are affected, please be alert for any updates for your device if you have these chipsets:

IPQ8074, MDM9150, MDM9206, MDM9607, MDM9650, MDM9655, MSM8909W, MSM8996AU, QCA8081, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 8CX, SDA660, SDM439, SDM630, SDM660, Snapdragon_High_Med_2016, and SXR1130

Also, Read:

runC Major Security Flaw Patched At Record Time, All Container Admins Expected To Update

Kubernetes’ Huge Privilege Escalation Bug Patched, Immediate Installation Is a Must

2019’s Google New Policy for Android: Forced Patch Update from Device Vendors

Julia Sowells960 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register