Qualcomm Secure World Mobile Vault is vulnerable to Cyber Attacks

    All these days we believed that Qualcomm’s Secure World virtual processor was security-wise invincible as the silicon wafer manufacturer trumpeted that its so-called secure technology was impossible to infiltrate and would never allow access to the contents stored in it.

    Nevertheless, researchers from Check Point have proved that hackers might use sophistication to access sensitive data from the Secure World Safe Compartment- which could trigger mobile security troubles as it could leak sensitive financial info to hackers.

    Technically speaking, Secure World is a trusted zone in ARM Architecture which is backed by Trusted Execution Environment(TEE) hardware. This involves the presence of a virtual processor that allows access to trusted apps and bars those who do not have access to the device hardware keys.

    However, a 4-month long study conducted by Checkpoint says that there are ways to reverse the Secure World operating system which could uncover coding or programming errors leading to ways to bypass the security protections.

    Although, Qualcomm claims that it’s not that easy to directly patch TrustZone Components as it is protected by verification algorithm called Block Signatures. Researchers say that it’s easy to tamper the code and rewrite the hash block signatures which could trigger exploits. And to prove it the researchers used a CPU Emulator and a fuzzing tool on a Nexus 6 devices running on an Android 7.1.2 Operating system to exploit the vulnerability.

    As the testing tools were used on Samsung, LG and Motorola devices, it was disclosed that Samsung devices running on Qualcomm processors contained 4 trusted code vulnerabilities while Motorola and LG contained one each.

    The US Chipmakers claim that its aware of the issue and revealed that Samsung has self-addressed the issue by issuing a fix to 3 vulnerabilities while LG and Motorola are yet to address them.

    Naveen Goud
    Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

    No posts to display