Home Cyber Attack Qualcomm Chip Vulnerability Could Expose Private Keys For Android Phones
Cyber AttackHacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

Qualcomm Chip Vulnerability Could Expose Private Keys For Android Phones

by Abeerah Hashim
written by Abeerah Hashim
Qualcomm Lenovo bug fixes

A newly discovered Qualcomm chip vulnerability threatens the security of Android smartphones. Exploiting this flaw could allow an attacker to extract private keys and passwords from the Qualcomm secure keystore.

Qualcomm Chip Vulnerability Discovered

Researchers from NCC Group have recently found a Qualcomm chip vulnerability threatening Android phones. They have shared the details about their findings in a separate report on their site. They shared the technical aspects of their discovery in  their research paper.

Specifically they found a side-channel attack that could allow an attacker to extract data from the Qualcomm secure keystore. This hardware-backed keystore is a feature on most modern Android phones which allows developers to protect their cryptographic keys.

According to their research, the problem lies at the “Elliptic curve point multiplication in Qualcomm’s QSEE code.” Ideally, the Qualcomm’ ECDSA implementation (a NIST-standardized digital signature algorithm) should not leak the stored sensitive data. However, the researchers demonstrated a side-channel attack on the Qualcomm’s TEE (Trusted Execution Environment) via Cachegrab (an open-source attack tool) that revealed the data. They demonstrated a successful extraction of 256-bit private key of the Nexus 5X.

Qualcomm Patched The Flaw

As stated in their blog post, the researchers contacted Qualcomm and informed them of the flaw in March 2018. Qualcomm then began working on a fix, and rolled-out a patch for the customers in October 2018. They have considered it a critical security flaw, assigning it CVE-2018-11976.

After discussion with the vendor, the researchers shared the report publicly in April 2019 with some recommendations for the developers.

“Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore. These defense-in-depth mitigations increase the complexity of compromising keystore keys, making difficult-to-perform side-channel attacks even more challenging to pull off.”

Take your time to comment on this article.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses