A number of Qualcomm chipsets found in mobile devices such as phones and tablets are vulnerable to a complex side-channel attack that can be used to extract the private key from the hardware keystore.
The attack relies on the fact that the Qualcomm implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) leaks some sensitive information from the secure portion of the chip to a non-secure area. The hardware-based keystore in the affected chips is designed to prevent key extraction, even if the device is completely compromised by an attacker, but researchers at NCC Group discovered that in some cases an attacker could recover enough information from the leaks to recover 224-bit and 256-bit private keys.
The vulnerability affects the Qualcomm Secure Execution Environment (QSEE) on a large number of chipsets. Qualcomm released a fix for the weakness and distributed it to device manufacturers.
“Hardware-backed keystores often rely on ARM TrustZone for these protections. TrustZone splits execution on many cell phones and embedded devices into a secure world and a normal world; highly-sensitive data and code can be placed within a Trusted Execution Environment (TEE) in the secure world, and everything else, like the Android OS, can be run within the normal world. Even if an attacker exploits the normal world, the secrets remain safe in the secure world.” the NCC Group advisory says.
“However, the two worlds often share the same microarchitectural structures, making side-channel attacks possible.”
Researcher Keegan Ryan of NCC Group discovered the vulnerability and developed the technique for exploiting it to extract private keys. He implemented the attack against an LG Nexus 5X handset, an older phone released in 2016, and in his implementation he worked under the assumption that the attacker had already compromised the non-secure portion of the Android kernel. Ryan used a custom tool he developed called Cachegrab that is designed specifically for cache attacks against ARM processors. Ryan said the attack took about 14 hours from start to finish.
“It involves querying the hardware-backed keystore about 12,000 times. It may be possible to reduce these numbers with more efficient attack and analysis algorithms, however this is already well within the range of being a practical attack. The attack is sophisticated in that it requires a high level of understanding about side-channel attacks, but it does not require any expensive or specialized hardware to perform,” Ryan said via email.
Side-channel attacks are specialized attacks that require an adversary to glean information from the way a system is implemented or how different parts of a system interact with each other. There are many different varieties of side-channel attacks and researchers in recent years have disclosed some serious ones, including the Spectre and Meltdown attacks that affected several chipsets. The attack that Ryan and his colleagues at NCC Group developed against the Qualcomm chips is different, but concerning in its own right.
"The attack is sophisticated in that it requires a high level of understanding about side-channel attacks, but it does not require any expensive or specialized hardware to perform."
“Most of the ECDSA signing is spent in a multiplication loop which processes a per-signature nonce. If an attacker can recover just a few bits of information about this nonce, they can use existing analysis techniques to recover the full private key, successfully extracting it from the device,” the advisory says.
“We found two locations in the multiplication algorithm which leak information about the nonce. The first location is a table lookup operation, and the second is a conditional subtraction based on the last bit of the nonce. Both of these locations contain countermeasures against side-channel attacks, but due to the spatial and temporal resolution of our microarchitectural attacks, it is possible to overcome these countermeasures and distinguish a few bits of the nonce.”
The practical effects of this vulnerability for device owners are difficult to measure. Qualcomm has released its patch, but the device manufacturers must push the updated firmware to carriers, who then deliver it to individual owners. This is a long process in the Android ecosystem, and some carriers choose not to deliver updates, especially for older devices.
Ryan said that the attack he and his colleagues developed didn’t require much in the way of specialized equipment, just a significant amount of time. That means it could be within reach of cybercrime groups, although they have much simpler attack methods at their disposal.
“All of the information the NCC Group Research Team used about side-channel attacks is publicly available in published papers. The largest cost involved was buying a phone to test it on. Aside from a substantial amount of time investment to learn and develop these attacks, the economic barrier to entry is very low,” he said.
“However, criminal groups are ultimately going to use the easiest method that provides them access to the information they want. This often includes finding unpatched systems, exploiting systems and applications that employ weak passwords, and mounting social engineering or phishing campaigns.”
CC By 2.0 license photo from Karlis Dambrans.