Trusted Execution Environments (TEEs) serve as one of the last lines of defense for a device's most sensitive assets — from cryptographic keys to secure boot chains. Designed to be resilient even when the rest of the system is compromised, in practice, they often fall short of this promise.
In this talk we present our research into Qualcomm's Secure Execution Environment (QSEE), an ARM TrustZone-based TEE, as implemented on Google's Wifi Pro. We discovered and exploited multiple vulnerabilities that allowed us to craft primitives for reading, writing and executing code at different privilege levels, including the highest (EL3). We will walk through the attack surface, the vulnerabilities we found and how we exploited them to achieve full control of the secure world.
Also, we take a brief moment to share our understanding of the encryption mechanism applied to the /data partition, which leverages QSEE for its security. We outline how the decryption key is derived from a hardware key and how it can be extracted.
At the end of this talk, the audience will realize how a thorough understanding of software exploitation can be augmented with deep knowledge of the target's hardware, to craft powerful primitives from vulnerabilities in TEE code. Our insights may be used as inspiration for exploiting TEEs on other devices.
Cristofaro Mune is a Co-Founder and Security Researcher at Raelize and he has been in the security field for almost 25 years. He has 15+ years of experience with evaluating SW and HW security of secure products.
His research on Fault Injection, TEEs, Secure Boot, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
