TrustZone downgrade attack

An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system.

According to a team of four computer scientists from the Florida State University and Baidu X-Lab, the problem lies in the design of the ARM TrustZone technology, widely deployed with the vast majority of today's Android devices.

Attack exploits TrustZone design flaw

The ARM TrustZone technology is a System on Chip (SoC) representing a secure area of the main processor included in Android smartphones.

It is a special section of the Android kernel that runs its own operating system — the TrustZone OS — that works separately from the main Android OS.

TrustZone is tasked with creating a secure zone where the Android OS can run the most crucial and sensitive operations, like the ones that handle encrypted data. These operations run as special apps — named trustlets — inside the TrustZone OS.

When TrustZone OS loads a trustlet, it first checks its cryptographic digital signature to see if it is signed by the right party. This integrity check aims at removing the risk of loading tampered trustlets.

TrustZone does not feature version rollback protection

In a paper released this summer, researchers discovered that an attacker could downgrade trustlets to older versions, ones that are vulnerable to various exploits.

"The threat is caused by the fact that the trustlets (trusted applications) lack version rollback prevention, and use the same key pair for different firmware versions," Yue Chen, one of the researchers, told Bleeping Computer via email.

This means attackers can replace new trustlets with older versions of the same trustlet without the TrustZone OS ever noticing the switch, because the cryptographic keys are the same.

Attack successful against most of today's smartphones

The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6.

They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) — Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone.

"As tested, this threat exists in almost all the Android devices on the current market, including Samsung Galaxy S7, Google Pixel, Google Nexus, Huawei Mate 9 (Pro), and their older versions and series," Yue says. "Affected devices also include other smaller phone vendors."

Vulnerability reported and patched

"We have already reported this vulnerability to the affected mobile vendors, and they have integrated patches in their latest updates, as well as fixes for newer device versions," Yue told Bleeping via email.

"To prevent being exploited, it is important for end users to timely update their devices to the latest versions, and apply any available security patches," Yue added.

The researcher also told Bleeping that he is not aware of any large-scale malware-spreading operation using the flaw he described in his team's research.

Attack not easy to exploit

The good news is that exploiting the attack described by Yue et al. is not as easy as it sounds.

"A successful exploit first needs to have the root privilege of the device (e.g.,  exploit another vulnerability), and then use this issue combined with other vulnerabilities to exploit the device," said the researcher.

For technically inclined users, this article is based on research released in July 2017 under the name of "Downgrade Attack on TrustZone." Copies of this paper are available online here and here.

This is not the first major attack on ARM TrustZone. Last year, at the USENIX security conference, researchers detailed the ARMageddon vulnerability, also targeting TrustZone.

Google is well aware of the danger of having TrustZone compromised and the company is currently willing to pay up to $200,000 for a remote exploit chain or exploit leading to a TrustZone or Verified Boot hack.