Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics

The presentation discusses an attack on the logical APDU interface of the secure element chip in Galaxy S20 models, which can be remotely exploited. The attack involves breaking the rich execution environment and gaining access to the salt and challenge to perform a brute force attack on the user credentials. The secure element chip is a black box chip with limited memory and is designed to protect sensitive key material. The presentation suggests investigating and reverse engineering the processes talking to the secure element chip to develop code and communicate with it.

• Attack on the logical APDU interface of the secure element chip in Galaxy S20 models
• Remote exploitation of the attack
• Breaking the rich execution environment to gain access to the salt and challenge for a brute force attack on user credentials
• Limited memory and design of the secure element chip to protect sensitive key material
• Investigating and reverse engineering the processes talking to the secure element chip to develop code and communicate with it

The presentation explains that the attack involves breaking the rich execution environment and gaining access to the salt and challenge to perform a brute force attack on the user credentials. The secure element chip is designed to protect sensitive key material and is a black box chip with limited memory. The presenter suggests investigating and reverse engineering the processes talking to the secure element chip to develop code and communicate with it. This can be done by replacing the Herman's demon process with a chip breaker tool to make it easier to develop code. However, the lack of information leak back from the secure element chip is a deal breaker for the attack as no logs, debug, or crashes are received.

Hardware security modules in the form of Embedded Secure Element (eSE) hardware have been introduced in mobile phones, with a view towards increasing the security of critical system features and encrypted user data. On Android, this concept goes under names like "strongbox" and "tamper resistant hardware" (TRH).The eSE is designed to remain secure even if the rest of the system is compromised, and to withstand both logical and physical attacks, including side channel attacks.We present how we adapted current state-of-the-art attacks to the eSE platform and present a remote attack on a Common Criteria EAL 5+ (AVA_VAN.5) certified eSE by Samsung, S3K250AF, introduced in their premium mobile models with the Exynos chipset (Galaxy S20 and Note 20). We show how we discovered a critical 0-day vulnerability that can be exploited, leading to a complete compromise of all the eSE security goals and a full loss of future eSE trust, as mitigation of our attack in already fielded devices is challenging, as we exposed the embedded AES key used for encrypted FW updates.Our eSE attack is performed using the eSE logical APDU communication and can be performed remotely by an attacker with root access in the Rich Execution Environment (REE). Current research is ongoing, to remove this rooted REE constraint, e.g. by doing a chip-off/on attack on the eSE and performing brute force using a Rubber Ducky or similar.The ultimate result of our research facilitates digital forensic acquisition of affected devices in before-first-unlock (BFU) state, and we demonstrate how to conduct off-device brute force of user screen lock credentials.Our attack exposes the gap between intended/promoted and achieved security, undermining the needed trust in certifications.The vulnerability is patched (CVE-2020-28341 / SVE-2020-18632).