During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, in particular the Galaxy A family, which is based on Mediatek System-on-Chips. These devices are often overlooked by the security research community, which usually targets high-end ones (e.g., the S family for Samsung). Nonetheless, these devices are extremely popular, and thus represent a big share of the phones in the wild.
On top of the Mediatek boot chain, Samsung added its own features including Knox Security Bit, support for their recovery tool Odin, a JPEG parser and so on.
In their latest system of chips, Mediatek have improved their security, and fixed an infamous BootROM vulnerability that used to impact most of their chips. Yet, even with the security improvement done by Mediatek and the apparent security brought by Samsung, we were able to break the boot chain of most of the Samsung phones powered by Mediatek SoCs.
We will present several 0-day vulnerabilities that, chained together, can be used by an attacker with physical access to a wide range of Samsung devices (mainly from the A* family), to bypass the secure boot, execute code on the chip, reach persistency and ultimately leak the secret keys protected by the hardware-backed keystore. Some of the vulnerabilities also impact Samsung devices based on Qualcomm SoCs which makes the amount of devices impacted quite high.
This presentation brings together two important concepts of modern mobile architectures: the secure boot and the Trusted Execution Environment. It gives a comprehensive view of how these features work and how they can be targeted by security researchers, focusing on the offensive approach.
Maxime Rossi Bellom (@max_r_b) is a Security Researcher and Tech Lead working at Quarkslab, focusing on the hardware and low level software security of mobiles devices and embedded systems. He likes playing with secure boot, and security chips embedded in smartphones.
Damiano Melotti (@DamianoMelotti) is a security researcher. He is mostly interested in systems security, especially in mobile platforms (Android) and automated vulnerability research.
Raphael Neveu is a Security Researcher working at Quarkslab and focusing on low-level mobile software.
Gabrielle Viala (@pwissenlit) is a security engineer specialized in vulnerability research and exploitation at Quarkslab. She is usually focused on desktop-based components, but as long as the project involves low-level technology, any target can be a good playground for her.
