In various talks during the past year I talked about fault injection attacks against secure boot implementations to able to load or run your own code before the operating system starts (e.g. Android) and about building fuzzers for Trusted Execution Environment operating systems (that second operating system that's inside your phone that holds all the important cryptographic keys) to find critical vulnerabilities. However, what's the relevance of these attacks and my research?
For the industry one of the main drivers is the protection of certain cryptographic keys such as those used by DRM and mobile banking solutions. However, in the perception of the average consumer of these devices there is something far more valuable that needs to be protected: personal data such as photos, messages but also bio-metric and health related information collected through fitness trackers and smart watches.
Analyzing and taking apart the few available open-source implementations of Android's File Based Encryption mechanism, which is used to encrypt all (user) data on a modern Android device, and its supporting TEE components KeyMaster and GateKeeper give an indication how well this data is actually protected. We will see that most of its security guarantees depend on the robustness of the TEE solution to protect KeyMaster and the keys from which the FBE encryption keys are derived. Breaking the the boot chain or compromising the TEE at run-time might allow decrypting the user data without knowing the user's credentials or extracting the keys while they reside in memory due to the user previously unlocking the device.
In this talk I will extend my previous research on attacking boot chains and vulnerability discovery in Trusted Execution Environments with what I have been able to learn about Android's FBE mechanism in the last couple of months. I will discuss some of the fundamental restrictions and issues with its security model and how the custom implementation of certain vendors tries to solve these problems. Also, Android 9 introduced the concept of the StrongBox which fundamentally resolves some of the discussed issues. However, not all new devices use or support this feature yet.
Martijn Bogaard is a Senior Security Analyst at Riscure where he focuses most of his time on analyzing the security of low-level embedded software (bootloaders, (trusted) operating systems). One of his main interests is the complicated interaction between hardware and software components/engineers and how this can lead to subtle but critical vulnerabilities.
His current research focuses on harnessing and fuzzing code that directly interfaces with hardware, how software gets affected by fault injection and how this can be used to improve fault attacks, and how simulation can be used to enhance embedded research.
