Conversation

If you are curious how all this thing works, check out this wiki page for a brief intro. en.wikipedia.org/wiki/Trusted_e As I said, if you manage to break into TEE, publish a paper, be famous (academically), and enjoy the bounty money 😉

Quote Tweet

John Wu

@topjohnwu

Mar 11, 2020

To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography. Breaking TEE won't be easy, which is why many security researchers are actively working on it.

Show this thread

118

Replying to

The bounty money is quite good, too. Up to $250K for RCE in the Pixel TEE, and up to $1M for the Titan M. As the author of keymaster and owner of keystore attestation, I strongly encourage everyone to find the vulns and collect the bounties! So we can fix the vulns, of course.

Replying to

and

If I'm not mistaken, Safetynet's security relies on all the ecosystem's TEE safety, not just Pixels. Once one is broken, everyone using Magisk (or whatever) can jump on this private key+fp. And from my lengthy experience, Android doesn't spend time towards its ecosystem's safety.

Replying to

and

pointed out, can't those keys just be revoked?

Replying to

Of course, but will Google actually revoke them? Say you have a security flaw in Qualcomm's bootloader, will Google revoke every single Qualcomm device? When (not if.) that happen, will they close their money-maker Google Pay to 100M+ customers?

Replying to

Yes, we will revoke them. If the keys are leaked, we'll revoke them. If the firmware has an unrecoverable flaw, we'll revoke them. If the firmware has a flaw that can be fixed via OTA, we'll analyze the situation to decide if that is adequate.

Replying to

So, considering the current revocation list, you haven't found a single OEM who shipped devices without hardware secure boot in three years?

Replying to

We don't test devices; the device makers run the tests and certify compliance. We effectively rely on the security research community to identify cheaters. Note that there have been a few revocations. I expect there are far more that need to be revoked, but don't know which.

Replying to

Just thought I'd mention, the OnePlus 6 among other OnePlus devices also ship with a broken TEE implementation. Bootloader unlocked devices do not fail CTS, and a testing app that was made completely fails to list any information regarding attestation, keymaster, AVB or ROT.

Replying to

github.com/GrapheneOS/Att is a key attestation sample submitted from a OnePlus 6 variant. SafetyNet doesn't test if devices pass the CTS, just whether they appear to match the profile of one known to pass. They haven't made key attestation into a hard requirement for SafetyNet.

github.com

AttestationSamples/filtered.prop at main · GrapheneOS/AttestationSamples

A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the ...

7:30 AM · Mar 13, 2020Twitter Web App

Replying to

SafetyNet beginning to make basic usage of key attestation isn't universal, since devices without it still pass. That's still essentially a soft failure and they aren't necessarily using it on every device where key attestation is available. Not sure why it took so long either.