Attacking Your Trusted Core: Exploiting TrustZone on Android

by Di Shen
Sept. 18, 2017 1 comment Black Hat belen_caty Pen Testing & Audits

For years fingerprint scanning has been supported in many Android devices. Fingerprint scanning on ARM always needs an implementation of TrustZone. While we enjoy unlocking devices and paying by fingerprint, we also figure out these new features bring out some new attack surfaces. Attacking the kernel of Android or the secure world of TrustZone may be not impossible. In this talk, I'll show how to analyze the TEE architecture of Huawei Hisilicon and find some new vulnerabilities in such an undocumented black hole. Then, I'll talk about exploit development in TrustZone. I exploited two bugs, one for rooting Androids normal world and disabling the newest SE for Android, the other for running shellcode in secure world. With these exploits, we can get the fingerprint image or bypass some other security features.

Steven Ulm 8 months, 1 week ago

Even if as a Android user fingerprint based security is more 21st Century-like, I still prefer the old school 6 (or 8!) digits pin code. Brings me more peace of mind. Interesting article!