Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Submission + - TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities (

An anonymous reader writes: An attacker can downgrade components of the Android TrustZone technology — a secure section of smartphone CPUs — to older versions that feature known vulnerabilities. The attacker can then use previously published exploit code to attack up-to-date Android OS versions.

The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6. They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) — Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone.

The research paper is available here, and one of the researcher's authors explains the attack chain in an interview here.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities

Comments Filter:

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.