Qualcomm chip vulnerabilities endanger millions of Android devices

Check Point experts found that vulnerabilities in the Qualcomm Secure Execution Environment endanger millions of Android devices. Vulnerabilities allow attackers to steal critical data stored in protected parts of the device.

Qualcomm Secure Execution Environment (QSEE) is an implementation of the Trusted Execution Environment (TEE) based on ARM TrustZone technology. In fact, it is a hardware-isolated area of the processor that protects important data and has a secure environment for running trusted applications that are isolated from each other. So, in QSEE, as a rule, private encryption keys, passwords, bank card information and so on are contained.

“Today, ARM TrustZone is an integral part of all modern mobile devices. As seen on Android-based Nexus/Pixel phones, TrustZone components are integrated in bootloader, radio, vendor and system Android images”, — report Check Point specialists.

QSEE is based on the principle of least privilege, so Normal World system modules (drivers and applications) cannot access protected areas unnecessarily, even if they have root access. In turn, access to data in Secure World is almost impossible.

However, Check Point analysts were able to identify a number of problems after several months studying the popular commercial implementations of TEE, including:

• QSEE, used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many others;
• Trustronic Kinibi, used on Samsung devices in Europe and Asia;
• HiSilicon core used on most Huawei devices.

As a result, after fuzzing application, were discovered the following vulnerabilities:

• dxhdcp2 (LVE-SMP-190005)
• sec_store (SVE-2019-13952)
• authnr (SVE-2019-13949)
• esecomm (SVE-2019-13950)
• kmota (CVE-2019-10574)
• tzpr25 (problem recognized by Samsung)
• prov (Motorola is working on a fix)

Researchers say that problems in QSEE, combined with exploits for old vulnerabilities (including CVE-2015-6639 and CVE-2016-2431), allow attackers to run trusted applications at the Normal World level, launch “tricked” trustlets in Secure World, and bypass Qualcomm Chain Of Trust mechanism, and even adapt trusted applications to work on devices of other manufacturers.

Read also: Malware in popular Android keyboard could cost users $18 million

The company warned manufacturers of problems back in June of this year, and according to Check Point, so far Samsung has already fixed three of the four vulnerabilities. LG has solved one problem, and Motorola has only announced its intention to release a patch (although the company said that the fixes are already ready and released as part of the patch level 2017-04-05 and 2019-05-05 for Android). Qualcomm representatives, in turn, told the media that the vulnerability CVE-2019-10574 was fixed in October this year, and the bug related to Widevine was completely fixed back in 2014.