26 April 19, 12:43
(This post was last modified: 26 April 19, 12:43 by silversurfer.)
Quote:A side-channel attack in Qualcomm technology, which is used by most modern Android devices, could allow an attacker to snatch private keys.
Researchers have uncovered a side-channel attack that enables a bad actor to extract sensitive data from Qualcomm’s secure keystore. The critical flaw impacts most modern Android devices that use Qualcomm chips.
The issue stems from an issue in Qualcomm technology, dubbed the Qualcomm Secure Execution Environment (QSEE), designed to guard cryptographic keys on devices. As a result of exploiting the flaw, attackers can pluck “sensitive data,” including private encryption keys, passwords and more, from Qualcomm-powered devices.
“Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware,” according to NCC Group consultant Keegan Ryan, who discovered the attack, in a Tuesday post. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA [Elliptic Curve Digital Signature Algorithm] keys.”
SOURCE: https://threatpost.com/qualcomm-critical...id/144112/
![[-]](https://www.geeks.fyi/images/collapse.png)
