Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips,
including popular Snapdragon models 820, 835, 845 and 855
The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices.
“A side-channel attack can extract private keys from certain versions of Qualcomm’s secure
According to NCC, the Hardware-backed keystores rely on ARM TrustZone to protect sensitive data, it splits execution on many devices into a secure world (used to manage sensitive data) and a normal world (used by processes of the Android OS).
Experts pointed out that the two worlds have the same underlying microarchitectural structures, meaning an attacker could carry out a side-channel attack to access protected memory.
The experts used a memory cache analyzer called Cachegrab to carry out
The experts tested a rooted Nexus 5X device using the Qualcomm Snapdragon 808 and discovered that the QSEE that leaking data that could be used to recover 256-bit ECDSA keys.
The attacker must have root access to the device to launch the attack.
Below the timeline of the flaw:
Technical details of the vulnerability are available in the paper published by the expert.