Private Key Extraction from Qualcomm Hardware-Backed Keystores

Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores

Vendor: Qualcomm
Vendor URL: <a href="https://www.qualcomm.com/" target="_blank">https://www.qualcomm.com/</a>
Systems Affected: <a href="https://www.qualcomm.com/company/product-security/bulletins#_CVE-2018-11976" target="_blank">Listed here</a>
Author: Keegan Ryan 
CVE Identifier: CVE-2018-11976
Risk: Critical (Key extraction from secure world to normal world possible)

Summary

A side-channel attack can extract private keys from certain versions of Qualcomm's secure keystore. Recent Android devices include a hardware-backed keystore , which developers can use to protect their cryptographic keys with secure hardware. On some devices, Qualcomm's TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. We demonstrate this by extracting an ECDSA P-256 private key from the hardware-backed keystore on the Nexus 5X.

More details are available in ourpaper.

Location

Elliptic curve point multiplication in Qualcomm's QSEE code.

Impact

It is possible to extract certain ECDSA keys from the hardware-backed keystore. This could affect application developers who rely on the extraction-prevention of the keystore when authenticating a user on a particular device.

Details

Qualcomm's ECDSA implementation leaks sensitive data from the secure world to the normal world, enabling recovery of private keys. This should not be possible, since the hardware-backed keystore is supposed to prevent any sort of key extraction, even against an attacker who has fully compromised the Android OS.

Hardware-backed keystores often rely on ARM TrustZone for these protections. TrustZone splits execution on many cell phones and embedded devices into a secure world and a normal world; highly-sensitive data and code can be placed within a Trusted Execution Environment (TEE) in the secure world, and everything else, like the Android OS, can be run within the normal world. Even if an attacker exploits the normal world, the secrets remain safe in the secure world.

However, the two worlds often share the same microarchitectural structures, making side-channel attacks possible. We previously discussed how to perform side-channel attacks on TrustZone TEEs at 34C3 and releasedCachegrab, an open-source tool for these attacks. These attacks target both the memory caches and the branch predictor, and they reveal control-flow and data-flow information with greater temporal resolution, spatial resolution, and less noise than previous methods.

These techniques can be used to exploit the ECDSA signing in QSEE, Qualcomm's TEE implementation. Using Cachegrab, we can capture side-channel data that reveals the overall structure of Qualcomm's ECDSA implementation.

Most of the ECDSA signing is spent in a multiplication loop which processes a per-signature nonce . If an attacker can recover just a few bits of information about this nonce, they can use existing analysis techniques to recover the full private key, successfully extracting it from the device.

We found two locations in the multiplication algorithm which leak information about the nonce. The first location is a table lookup operation, and the second is a conditional subtraction based on the last bit of the nonce. Both of these locations contain countermeasures against side-channel attacks, but due to the spatial and temporal resolution of our microarchitectural attacks, it is possible to overcome these countermeasures and distinguish a few bits of the nonce.

These few bits are enough to recover 256-bit ECDSA keys. To prove that this is a viable attack, we demonstrate the full exploit against an unknown P-256 key in the hardware-backed keystore of the Nexus 5X.

A full explanation of the vulnerability, our methods, and the exploitation can be found in our new paper .

Recommendation

Qualcomm has already designed and distributed a patch to address this issue. Ensure that your devices are running the most recent firmware version.

Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore. These defense-in-depth mitigations increase the complexity of compromising keystore keys, making difficult-to-perform side-channel attacks even more challenging to pull off.

Vendor Communication

• March 19, 2018: Contact Qualcomm Product Security with issue; receive confirmation of receipt
• April, 2018: Request update on analysis of issue
• May, 2018: Qualcomm confirms the issue and begins working on a fix
• July, 2018: Request update on the fix; Qualcomm responds that the fix is undergoing internal review
• November, 2018: Request update on the timeline for disclosure; Qualcomm responds that customers have been notified in October, beginning a six-month carrier recertification process. Agree to April 2019 disclosure date.
• March, 2019: Discuss publication plans for April 23
• April, 2019: Share draft of paper with Qualcomm
• April 23, 2019: Public Disclosure

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate and respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:23 April 2019