Security
Not To Be Trusted - A Fiasco in Android TEEs
27. Dezember 2025
20:30 – 21:30 In Kalender übernehmen
20:30 – 21:30 In Kalender übernehmen
Fuse
Trusted Execution Environments (TEEs) based on ARM TrustZone form the backbone
of modern Android devices' security architecture. The word "Trusted" in
this context means that **you**, as in "the owner of the device", don't
get to execute code in this execution environment. Even when you unlock
the bootloader and Magisk-root your device, only vendor-signed code will
be accepted by the TEE. This unfortunate setup limits third-party
security research to the observation of input/output behavior and static
manual reverse engineering of TEE components.
In this talk, we take you with us on our journey to regain power over
the highest privilege level on Xiaomi devices. Specifically, we are
targeting the Xiaomi Redmi 11s and will walk through the steps necessary
to escalate our privileges from a rooted user space (N-EL0) to the
highest privilege level in the Secure World (S-EL3). We will revisit old
friends like Trusted Application rollback attacks and GlobalPlatform's
design flaw, and introduce novel findings like the literal fiasco you
can achieve when you're introducing micro kernels without knowing what
you're doing. In detail, we will elaborate on the precise exploitation
steps taken and mitigations overcome at each stage of our exploit chain,
and finally demo our exploits on stage.
Regaining full control over our devices is the first step to deeply
understand popular TEE-protected use cases including, but not limited
to, mobile payment, mobile DRM solutions, and the mechanisms protecting your biometric
authentication data.
We present novel insights into the current state of TEE security on
Android focusing on two widespread issues: missing TA rollback
protection and a type confusion bug arising from the GlobalPlatform TEE
Internal Core API specification.
Our results demonstrate that these issues are so widespread that on most
devices, attackers with code execution at N-EL1 (kernel) have a buffet
of n-days to choose from to achieve code execution at S-EL0 (TA).
Further, we demonstrate how these issues can be weaponized to fully
compromise an Android device. We discuss how we exploit CVE-2023-32835, a
type confusion bug in the keyinstall TA, on a fully updated Xiaomi
Redmi Note 11.
While the keyinstall TA shipped in the newest firmware version is not
vulnerable anymore, the vulnerability remains triggerable due to missing
rollback protections.
To further demonstrate how powerful code execution as a TA is, we'll
exploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek
SoCs), to achieve code execution at S-EL3. Full privilege escalations in
the TEE are rarely seen on stage, and we are targeting the BeanPod TEE
which is based on the Fiasco micro kernel. This target has never been
publicly exploited, to the best of our knowledge.
Our work empowers security researchers by demonstrating how to regain control over
vendor-locked TEEs, enabling deeper analysis of critical security
mechanisms like mobile payments, DRM, and biometric authentication.
Weitere Infos
| Live Stream | https://streaming.media.ccc.de/39c3/fuse |
|---|---|
| Format | Talk |
| Sprache | Englisch |
Weitere Sessions
| 27.12.25 |
The Great Firewall of China (GFW) is one of, if not arguably the most advanced Internet censorship systems in the world. Because repressive governments generally do not simply publish their censorship rules, the task of determining exactly what is and isn’t allowed falls upon the censorship measurement community, who run experiments over censored networks. In this talk, we’ll discuss two ways censorship measurement has evolved from passive experimentation to active attacks against the Great ...
|
| 27.12.25 |
Reports of GNSS interference in the Baltic Sea have become almost routine — airplanes losing GPS, ships drifting off course, and timing systems failing. But what happens when a group of engineers decides to build a navigation system that simply *doesn’t care* about the jammer? Since 2017, we’ve been developing **R-Mode**, a terrestrial navigation system that uses existing radio beacons and maritime infrastructure to provide independent positioning — no satellites needed. In this talk, ...
|
| 27.12.25 |
Zwei Jahre nach dem ersten KIM-Vortrag auf dem 37C3: Die gezeigten Schwachstellen wurden inzwischen geschlossen. Weiterhin können mit dem aktuellen KIM 1.5+ nun große Dateien bis 500 MB übertragen werden, das Signaturhandling wurde für die Nutzenden vereinfacht, indem die Detailinformationen der Signatur nicht mehr einsehbar sind. Aber ist das System jetzt sicher oder gibt es neue Probleme?
|
| 27.12.25 |
While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then ...
|
| 27.12.25 |
The Deutschlandticket was the flagship transport policy of the last government, rolled out in an impressive timescale for a political project; but this speed came with a cost - a system ripe for fraud at an industrial scale. German public transport is famously decentralised, with thousands of individual companies involved in ticketing and operations. Unifying all of these under one national, secure, system has proven a challenge too far for politicians. The end result: losses in the hundreds of ...
|
| 27.12.25 |
In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in ...
|
| 27.12.25 |
FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compromised FreeBSD jail by auditing the kernel’s attack surface, identifying dozens of vulnerabilities across exposed subsystems, and developing practical proof-of-concept exploits. We’ll share our findings, demo some real escapes, and discuss what they reveal about the challenges of maintaining robust OS isolation.
|
