After previous presented work resulting in compromising the new TEE OS of the Galaxy S10 called TEEGRIS in 2020, the Corona lockdowns were a good excuse to see if we could do it again with Samsung’s latest phone. We found that Samsung decided to encrypt even more components of the firmware and we were up for a major challenge while working in the blind. After first compromising one of the (unencrypted) Trusted Applications, we speculated that we might be able to reuse some of our knowledge of the S10 to get the decrypted firmware out. By leveraging a particular weakness across several components we extracted the TEE OS, loadable firmware and secure monitor (BL31). This then allowed us to start looking for vulnerabilities in these components looking for easier ways to compromise the TEE. While analyzing the Loadable Firmware we found a collection of 5 binaries that run in S-EL1 with the same privileges as the TEE OS. These binaries implement a significant number of SMCs directly reachable from the untrusted Android side. Our work resulted in more than 5 independent ways to compromise the TEE for which patches have been released by Samsung in the last 6 months. In this presentation we will describe the architecture of Samsung’s TEE, and discuss the most interesting bugs we found and how to exploit them to break the separation between the TEE and the Android side.
Martijn Bogaard is a Principal Security Analyst at Riscure where he focuses most of his time on firmware security. One of his main interests is the complicated interaction between hardware and software components/engineers and how this can lead to subtle but critical vulnerabilities.
Federico Menarini is a Principal Security Analyst at Riscure. Federico has 16+ years of experience in security evaluations involving all types of software/hardware solutions, from low-level Embedded Systems and smartcards, to state-of-the-art mobile phone platforms & solutions, and anything in-between. Federico has also authored several papers related to hardware and software security.