Researchers devised a new side-channel attack in Qualcomm technology, widely used by most Android smartphones, that could expose private keys.
Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips,
including popular Snapdragon models 820, 835, 845 and 855
The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices.
“A side-channel attack can extract private keys from certain versions of Qualcomm’s secure
According to NCC, the Hardware-backed keystores rely on ARM TrustZone to protect sensitive data, it splits execution on many devices into a secure world (used to manage sensitive data) and a normal world (used by processes of the Android OS).
Experts pointed out that the two worlds have the same underlying microarchitectural structures, meaning an attacker could carry out a side-channel attack to access protected memory.
The experts used a memory cache analyzer called Cachegrab to carry out
The experts tested a rooted Nexus 5X device using the Qualcomm Snapdragon 808 and discovered that the QSEE that leaking data that could be used to recover 256-bit ECDSA keys.
The attacker must have root access to the device to launch the attack.
Below the timeline of the flaw:
- March 19, 2018: Contact Qualcomm Product Security with issue; receive confirmation of receipt
- April, 2018: Request update on analysis of issue
- May, 2018: Qualcomm confirms the issue and begins working on a fix
- July, 2018: Request update on the fix; Qualcomm responds that the fix is undergoing internal review
- November, 2018: Request update on the timeline for disclosure; Qualcomm responds that customers have been notified in October, beginning a six-month carrier recertification process. Agree to April 2019 disclosure date.
- March, 2019: Discuss publication plans for April 23
- April, 2019: Share draft of paper with Qualcomm
- April 23, 2019: Public Disclosure
- “Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told Threatpost. “We commend the NCC Group for using responsible disclosure practices surrounding their security research. Qualcomm Technologies issued fixes to OEMs late last year, and we encourage end users to update their devices as patches become available from OEMs.”