Search the Community
Showing results for tags 'Android'.
Found 3 results
Researchers devised a new side-channel attack in Qualcomm technology, widely used by most Android smartphones, that could expose private keys.Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips, including popular Snapdragon models 820, 835, 845 and 855 The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices. “A side-channel attack can extract private keys from certain versions of Qualcomm’s secure keystore. Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware.” reads a blog post published by NCC Group. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. “ According to NCC, the Hardware-backed keystores rely on ARM TrustZone to protect sensitive data, it splits execution on many devices into a secure world (used to manage sensitive data) and a normal world (used by processes of the Android OS). Experts pointed out that the two worlds have the same underlying microarchitectural structures, meaning an attacker could carry out a side-channel attack to access protected memory. The experts used a memory cache analyzer called Cachegrab to carry out side-channel attacks on TrustZone. The experts tested a rooted Nexus 5X device using the Qualcomm Snapdragon 808 and discovered that the QSEE that leaking data that could be used to recover 256-bit ECDSA keys. The attacker must have root access to the device to launch the attack. Qualcomm has released a security patch to address the flaw tracked as CVE-2018-11976, while Android disclosed a patch for the flaw in its April update. Below the timeline of the flaw: March 19, 2018: Contact Qualcomm Product Security with issue; receive confirmation of receiptApril, 2018: Request update on analysis of issueMay, 2018: Qualcomm confirms the issue and begins working on a fixJuly, 2018: Request update on the fix; Qualcomm responds that the fix is undergoing internal reviewNovember, 2018: Request update on the timeline for disclosure; Qualcomm responds that customers have been notified in October, beginning a six-month carrier recertification process. Agree to April 2019 disclosure date.March, 2019: Discuss publication plans for April 23April, 2019: Share draft of paper with QualcommApril 23, 2019: Public Disclosure“Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told Threatpost. “We commend the NCC Group for using responsible disclosure practices surrounding their security research. Qualcomm Technologies issued fixes to OEMs late last year, and we encourage end users to update their devices as patches become available from OEMs.”Technical details of the vulnerability are available in the paper published by the expert. Source: https://securityaffairs.co
Already, Google provides several ways to help you log in to your accounts securely, including two-factor authentication on Android devices, its Titan Security Key dongle, and Google Prompt. The search giant admits, however, that attackers can still use advanced steps like fake login pages to bypass those security methods. As part of an effort to further beef up your account's security, Google has introduced a new way to let you turn your Android device into a physical security key. That means you don't have to purchase a separate dongle, you only need a phone running Android 7.0 Nougat and later. To start using this new security feature, sign in to your Google account on your Android phone (if you haven't already). Then open Chrome on your Bluetooth-supported Chrome OS, macOS, or Windows 10 PC and head over to the two-step verification settings where you'll be asked to click the "Add security key" option. See to it that Bluetooth is turned on for both your phone and PC before selecting your Android device from the list of available devices. It's worth noting that the method works like Google Prompt, which relies on an internet-based connection between an Android phone and a Google service. The main difference with the new security feature is that it uses a Bluetooth connection to facilitate a secure login, which means your phone needs to be in proximity to your PC. For now, the feature is in beta phase and it's available only to Android users who use Chrome. There's no word, though, on whether Google will bring support for web browsers other than Chrome. Source: neowin