Conversation

If you are curious how all this thing works, check out this wiki page for a brief intro. en.wikipedia.org/wiki/Trusted_e As I said, if you manage to break into TEE, publish a paper, be famous (academically), and enjoy the bounty money 😉

Quote Tweet

John Wu

@topjohnwu

Mar 11, 2020

To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography. Breaking TEE won't be easy, which is why many security researchers are actively working on it.

Show this thread

118

Replying to

The bounty money is quite good, too. Up to $250K for RCE in the Pixel TEE, and up to $1M for the Titan M. As the author of keymaster and owner of keystore attestation, I strongly encourage everyone to find the vulns and collect the bounties! So we can fix the vulns, of course.

Replying to

and

If I'm not mistaken, Safetynet's security relies on all the ecosystem's TEE safety, not just Pixels. Once one is broken, everyone using Magisk (or whatever) can jump on this private key+fp. And from my lengthy experience, Android doesn't spend time towards its ecosystem's safety.

Replying to

and

pointed out, can't those keys just be revoked?

Replying to

Of course, but will Google actually revoke them? Say you have a security flaw in Qualcomm's bootloader, will Google revoke every single Qualcomm device? When (not if.) that happen, will they close their money-maker Google Pay to 100M+ customers?

Replying to

For context, this is the thread: twitter.com/DanielMicay/st The way SafetyNet uses key attestation isn't really compatible with a high level of security. It's useful for anti-cheat and fighting fraud at scale, but pairing is needed to actually achieve a good level of security.

Quote Tweet

Daniel Micay

@DanielMicay

Mar 11, 2020

Replying to @DanielMicay @topjohnwu and @reyammer

SafetyNet attestation isn't a particularly strong use of key attestation. It performs validation of a massive number of devices at scale, without any kind of pairing in advance. That means they depend on verifying devices via the root certificate, which isn't high assurance.

Replying to

I never said that SafetyNet was using the revocation system and I never implied that it was much of a solution to the issues with relying on the root of trust. I was really saying the opposite: that pairing is needed to build anything with a strong level of security from this.

Replying to

My interest is in the hardware-based key attestation feature, which we use ourselves. SafetyNet isn't really a good showcase of that, since it's using it with the lowest common denominator approach as there isn't really anything else it could do based on the problem space.

8:00 PM · Mar 11, 2020Twitter Web App

Replying to

Auditor and attestation.app use a Trust On First Use system based on pairing with a hardware-backed key and pinning the attestation certificate chain. They do validate the certificate chain, but they mostly rely on pinning the batch key, and the ideal would be an app key.

attestation.app

Device integrity monitoring

Hardware-based remote attestation service for monitoring the security of Android devices using the Auditor app.