When Samsung meets Mediatek: the story of a small bug chain — Maxime Rossi Bellom, Raphaël Neveu
Date : 06 June 2024 à 10:00 — 30 min.
Last year, we saw a resurgence of vulnerabilities impacting the logo parsers of various boot chains, leading to complete secure boot bypasses. While these researches, such as LogoFail, impacted mainly desktop environments, mobile platforms are not immune to this type of issues. During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, which are based on Mediatek System-on-Chips. Some parts of the implementation, including the jpeg logo parsing of the bootloader, quickly raised our interest as they had a good potential for bugs.
In this paper, we present a small bug chain that can be used by an attacker with physical access to the device to bypass the secure boot, execute code on the chip and ultimately leak the secret keys protected by the hardware-backed keystore.
This article brings together two important concepts of modern mobile architecture: the secure boot and the Trusted Execution Environment. It gives a comprehensive view of how these features work and how they can be targeted by security researchers, focusing on the offensive approach.