Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design

The presentation discusses the security of keys stored in the Trust Zone of Android devices and the vulnerabilities found in Samsung devices.

• Keys are stored and used inside a secure platform on the Decatur to protect against key extraction and cloning of the token
• Smartphones can be used instead of outside tokens to protect keys
• The attestation property is used to prove to the server that keys are secured inside the Trust Zone and cannot be cloned
• Downgrade attacks can allow extraction of keys and authentication without using the custom
• Samsung devices had vulnerabilities in their implementation of the Trust Zone and encryption of keys
• The Android attestation solution is a good start to improving security
• Misuse-resistant solutions should be used instead of GCM

The researchers found vulnerabilities in Samsung devices and reported them to the company. Samsung initially dismissed the vulnerabilities, but after receiving the full paper, they acknowledged the severity and patched all affected devices. The researchers were able to see the code and patches made by Samsung to fix the vulnerabilities.

ARM-based Android smartphones rely on the TrustZone hardware support for a Trusted Execution Environment (TEE) to implement security-sensitive functions. The TEE runs a separate, isolated, TrustZone Operating System (TZOS), in parallel to Android. The implementation of the cryptographic functions within the TZOS is left to the device vendors, who create proprietary undocumented designs. In this work, we expose the cryptographic design and implementation of Android's Hardware-Backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices. We reverse-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google's Secure Key Import. We discuss multiple flaws in the design flow of TrustZone based protocols. Although our specific attacks only apply to the ~100 million devices made by Samsung, it raises the much more general requirement for open and proven standards for critical cryptographic and security designs.