Recently, Check Point researchers analyze a vulnerability (CVE-2019-10574) discovered in the Qualcomm Trusted Execution Environment (TEE) for Android devices.
An attacker could exploit this vulnerability to obtain sensitive device information. It is understood that this vulnerability exists in the way that Qualcomm implements TEE based on ARM TrustZone, which may cause problems such as protected data leakage, device rooting, boot loader unlocking, and execution of undetectable APT.
ARM TrustZone is an integral part of all modern mobile devices. As seen on Android-based Nexus/Pixel phones, TrustZone components are integrated in bootloader, radio, vendor and system Android images.
These are the most popular commercial implementations of the Trusted Execution Environment (TEE) for mobile devices backed by ARM hardware-based access control:
- Qualcomm’s Secure Execution Environment (QSEE), used on Pixel, LG, Xiaomi, Sony, HTC, OnePlus, Samsung and many other devices.
- Trustronic’s Kinibi, used on Samsung devices for the Europe and Asia markets.
- HiSilicon’s Trusted Core, used on most Huawei devices.
This vulnerability has now been fixed. A Qualcomm spokesperson said that providing technology that supports strong security and privacy is a top priority for Qualcomm. The vulnerability announced by Check Point has been patched, and users are advised to download the patch in time to avoid attack!