Follow Slashdot stories on Twitter


Forgot your password?
Android Security Operating Systems Software Hardware Technology

TrustZone Downgrade Attack Opens Android Devices To Old Vulnerabilities ( 45

An anonymous reader writes from a report via Bleeping Computer: An attacker can downgrade components of the Android TrustZone technology -- a secure section of smartphone CPUs -- to older versions that feature known vulnerabilities. The attacker can then use previously published exploit code to attack up-to-date Android OS versions. The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6. They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) -- Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone. The research paper is available here, and one of the researcher's authors explains the attack chain in an interview here.
This discussion has been archived. No new comments can be posted.

TrustZone Downgrade Attack Opens Android Devices To Old Vulnerabilities

Comments Filter:
  • Rollback protection. (Score:5, Interesting)

    by Greger47 ( 516305 ) on Wednesday September 06, 2017 @09:35AM (#55147393)

    I thought commonly used TrustZone firmwares do have revocation/rollback protection but the OEMs doesn't use it when upgrading the OS. E.g. they bundle a new Widevine version in the update but they don't actually revoke old vulnerable ones.

    As explored in depth by Google's Project Zero here: []

    Or is this a real bypass that allows installing a revoked trustlet? The article was light on details.

    / greger47

    • It explains that when the same key pairs are used for new versions, the old ones can still be loaded.
      The vendors can change they keys with each version, but since it becomes much harder to manager, they don't.

  • Fixed? (Score:4, Interesting)

    by AmiMoJo ( 196126 ) <mojo@wo[ ] ['rld' in gap]> on Wednesday September 06, 2017 @09:41AM (#55147421) Homepage Journal

    From TFA:

    "We have already reported this vulnerability to the affected mobile vendors, and they have integrated patches in their latest updates, as well as fixes for newer device versions," Yue told Bleeping via email.

    Who? Which devices?

  • This theoretically opens a way to Root ANY android phone. That could be Great.

    The main dangers to you as a smartphone user are your cellphone network carrier and the manufacturer of your phone. Both both of them have a direct interest in invading your privacy for money or to keep you captive to their machinery.

    Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain. Rooting your phone and installing a 3rd party Android build ( such as LineageOS ) goes

    • Re:Hurray!! (Score:4, Informative)

      by triffid_98 ( 899609 ) on Wednesday September 06, 2017 @10:07AM (#55147527)
      Sadly it does not...

      "A successful exploit first needs to have the root privilege of the device (e.g., exploit another vulnerability)"
    • Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain.

      No, it isn't.

      AOSP is open and free. Android is closed and not free.
      Further, Android being 100% secure won't fix this. This is an issue similar to Intel's fuck up with AMT. AMD uses ARM TrustZone bits in their processors as well. AMD calls it the PSP.

      As an end user, the only thing you should trust is the fact that your device is vulnerable and the powers that be know about it (and likely put the vulnerabilities there in the first place). Because fuck you.

  • by jabberw0k ( 62554 ) on Wednesday September 06, 2017 @10:18AM (#55147573) Homepage Journal
    Anyone who uses one of these devices -- designed from the get-go to spy on the user -- is a patsy, a mark, a fool. Free software, and free hardware, exists for a reason. Think about it.
  • by XSportSeeker ( 4641865 ) on Wednesday September 06, 2017 @03:35PM (#55149361)


    "To reproduce the procedure, the steps are as follows:
    1. Root the device.
    2. Remount the file system that contains the trustlets (e.g., “mount -o rw,remount /system”).
    3. Replace the current trustlets with the corresponding (vulnerable) ones from an
    older-version image.
    4. Use the device as normal."

God made the integers; all else is the work of Man. -- Kronecker