Conversation

If you are curious how all this thing works, check out this wiki page for a brief intro. en.wikipedia.org/wiki/Trusted_e As I said, if you manage to break into TEE, publish a paper, be famous (academically), and enjoy the bounty money 😉

Quote Tweet

John Wu

@topjohnwu

Mar 11, 2020

To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography. Breaking TEE won't be easy, which is why many security researchers are actively working on it.

Show this thread

118

Replying to

The bounty money is quite good, too. Up to $250K for RCE in the Pixel TEE, and up to $1M for the Titan M. As the author of keymaster and owner of keystore attestation, I strongly encourage everyone to find the vulns and collect the bounties! So we can fix the vulns, of course.

Replying to

and

If I'm not mistaken, Safetynet's security relies on all the ecosystem's TEE safety, not just Pixels. Once one is broken, everyone using Magisk (or whatever) can jump on this private key+fp. And from my lengthy experience, Android doesn't spend time towards its ecosystem's safety.

Replying to

and

pointed out, can't those keys just be revoked?

Replying to

Of course, but will Google actually revoke them? Say you have a security flaw in Qualcomm's bootloader, will Google revoke every single Qualcomm device? When (not if.) that happen, will they close their money-maker Google Pay to 100M+ customers?

Replying to

Yes, we will revoke them. If the keys are leaked, we'll revoke them. If the firmware has an unrecoverable flaw, we'll revoke them. If the firmware has a flaw that can be fixed via OTA, we'll analyze the situation to decide if that is adequate.

Replying to

fredericb.info/2020/06/exynos claims they have access to Galaxy S8's Secure World, which launched with Nougat, so I guess it has key attestation? Has it been revoked yet?

fredericb.info

exynos-usbdl : unsigned code loader for Exynos BootROM

In previous posts, we explained how to dump Exynos bootROM and reverse its USB stack. These efforts led to the discovery of a bug in the USB stack that can be exploited to run arbitrary code. The...

Replying to

AFAIK, there's no evidence of a practical method to extract the private attestation key, or subvert attestation. It seems likely that those things could be done, but I don't think they have been done.

Replying to

Keep in mind that the goal of attestation is to provide a commercially-useful signal of integrity, not an absolute guarantee -- which would be impossible.

Replying to

It's also possible to use hardware-based attestation with a different approach like the Auditor app (attestation.app/about) where leaks of batch keys from other devices don't impact anything but the weak initial verification. It only aims to detect compromise after that point.

attestation.app

Auditor overview

Overview of the Auditor Android app and associated service.

11:27 PM · Jul 2, 2020Twitter Web App

Replying to

SafetyNet attestation has a more specific purpose than the lower-level API. It needs compatibility across an enormous range of devices and can't do pairing. If apps want something more they can use the lower-level API themselves. There are ways it could be made better though.

Replying to

Such as if for a newer attestation version, intermediates had a field added scoping them to specific brands or device models so that leaked batch keys for most other devices would be signed with an invalid intermediate for the brand/model. I'd rather have better pairing though.