The part of the Android OS was said to be Qualcomm’s TrustZone, which stores the phone’s most sensitive information. This has been exposed after the firm Check Point claimed to have hacked into the TrustZone on certain Android devices.
Speaking with Forbes, Yaniv Balmas, Check Point’s head of cyber research, says that “TrustZone holds all your secrets—fingerprints, facial recognition, credit cards, passports, whatever secrets you can think of, these things are stored in TrustZone.”
In response, a Qualcomm Spokesperson has told Digital Journal: “Providing technologies that support robust security and privacy is a priority for Qualcomm. The vulnerabilities publicized by Check Point have been patched, one in early October 2019 and the other in November 2014. We have seen no reports of active exploitation, though we encourage end users to update their devices with patches available from OEMs.”
The relevant CVEs/patches are:
CVE-2019-10574, KeyMaster, rated medium, patches sent to OEMs in early Oct 2019 private security bulletin,
CVE-2014-9935, Widevine, rated critical, patches sent to OEMs in Nov 2014.
To understand more about the issue, Digital Journal caught up with John Aisien, CEO of Blue Cedar.
Aisien begins by spelling out what the hardware is intended to do: ““Because Android’s OS stores most of a device’s sensitive data (such as fingerprints, facial recognition, credit cards or passport info) on what its security hardware manufacturer, Qualcomm, calls the “TrustZone,” it’s seen as a high-value target for cybercriminals or state actors.”
In terms of the implications of the hack, Aisien explains: “By hacking into an Android device OS, cybercriminals and state actors can gain further access to data stored on the device, including application data. Companies that use applications on such devices to transmit sensitive data like high security locations, industrial plans, sovereign policies, personal health information, etc., could also have their data at risk if the information is encrypted only onto the device’s drive.”
The issues stemming out from this are therefore considerable: “This raises state and corporate security concerns, and reaches across sectors, including military and defense sectors, which are critical for geopolitical stability. Device-level security alone just isn’t enough, as this will continue to generate concerns in the coming years, especially as use of these devices to store and compute using sensitive data increases.”
However, the hack itself exposes wider vulnerabilities: “Unfortunately, the initial OS hack would just be the tip of the iceberg. OS-level vulnerabilities open up doors to damage beyond the initial hack and render the device’s entire application ecosystem at risk to exposure. This is why big names like Microsoft have developed security for mobile apps, not just the device.”
As to what action should be taken, Aisien recommends: “Companies should prioritize application-level security to defend against potentially devastating device-level vulnerabilities like this. If the enterprise’s applications within a compromised phone are protected, your data is far less exposed to risk than if you were only trusting the security that comes with the device.”
