The bounty money is quite good, too. Up to $250K for RCE in the Pixel TEE, and up to $1M for the Titan M. As the author of keymaster and owner of keystore attestation, I strongly encourage everyone to find the vulns and collect the bounties!
So we can fix the vulns, of course.
Conversation
If I'm not mistaken, Safetynet's security relies on all the ecosystem's TEE safety, not just Pixels. Once one is broken, everyone using Magisk (or whatever) can jump on this private key+fp. And from my lengthy experience, Android doesn't spend time towards its ecosystem's safety.
1
2
1
2
Of course, but will Google actually revoke them?
Say you have a security flaw in Qualcomm's bootloader, will Google revoke every single Qualcomm device?
When (not if.) that happen, will they close their money-maker Google Pay to 100M+ customers?
2
2
12
Yes, we will revoke them. If the keys are leaked, we'll revoke them. If the firmware has an unrecoverable flaw, we'll revoke them. If the firmware has a flaw that can be fixed via OTA, we'll analyze the situation to decide if that is adequate.
7
6
28
fredericb.info/2020/06/exynos claims they have access to Galaxy S8's Secure World, which launched with Nougat, so I guess it has key attestation? Has it been revoked yet?
1
2
AFAIK, there's no evidence of a practical method to extract the private attestation key, or subvert attestation. It seems likely that those things could be done, but I don't think they have been done.
1
1
Keep in mind that the goal of attestation is to provide a commercially-useful signal of integrity, not an absolute guarantee -- which would be impossible.
2
2
It's also possible to use hardware-based attestation with a different approach like the Auditor app (attestation.app/about) where leaks of batch keys from other devices don't impact anything but the weak initial verification. It only aims to detect compromise after that point.
1
SafetyNet attestation has a more specific purpose than the lower-level API. It needs compatibility across an enormous range of devices and can't do pairing. If apps want something more they can use the lower-level API themselves. There are ways it could be made better though.
1
Such as if for a newer attestation version, intermediates had a field added scoping them to specific brands or device models so that leaked batch keys for most other devices would be signed with an invalid intermediate for the brand/model. I'd rather have better pairing though.