2025-12-27 –, Fuse
Trusted Execution Environments (TEEs) based on ARM TrustZone form the backbone
of modern Android devices' security architecture. The word "Trusted" in
this context means that you, as in "the owner of the device", don't
get to execute code in this execution environment. Even when you unlock
the bootloader and Magisk-root your device, only vendor-signed code will
be accepted by the TEE. This unfortunate setup limits third-party
security research to the observation of input/output behavior and static
manual reverse engineering of TEE components.
In this talk, we take you with us on our journey to regain power over
the highest privilege level on Xiaomi devices. Specifically, we are
targeting the Xiaomi Redmi 11s and will walk through the steps necessary
to escalate our privileges from a rooted user space (N-EL0) to the
highest privilege level in the Secure World (S-EL3). We will revisit old
friends like Trusted Application rollback attacks and GlobalPlatform's
design flaw, and introduce novel findings like the literal fiasco you
can achieve when you're introducing micro kernels without knowing what
you're doing. In detail, we will elaborate on the precise exploitation
steps taken and mitigations overcome at each stage of our exploit chain,
and finally demo our exploits on stage.
Regaining full control over our devices is the first step to deeply
understand popular TEE-protected use cases including, but not limited
to, mobile payment, mobile DRM solutions, and the mechanisms protecting your biometric
authentication data.
We present novel insights into the current state of TEE security on
Android focusing on two widespread issues: missing TA rollback
protection and a type confusion bug arising from the GlobalPlatform TEE
Internal Core API specification.
Our results demonstrate that these issues are so widespread that on most
devices, attackers with code execution at N-EL1 (kernel) have a buffet
of n-days to choose from to achieve code execution at S-EL0 (TA).
Further, we demonstrate how these issues can be weaponized to fully
compromise an Android device. We discuss how we exploit CVE-2023-32835, a
type confusion bug in the keyinstall TA, on a fully updated Xiaomi
Redmi Note 11.
While the keyinstall TA shipped in the newest firmware version is not
vulnerable anymore, the vulnerability remains triggerable due to missing
rollback protections.
To further demonstrate how powerful code execution as a TA is, we'll
exploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek
SoCs), to achieve code execution at S-EL3. Full privilege escalations in
the TEE are rarely seen on stage, and we are targeting the BeanPod TEE
which is based on the Fiasco micro kernel. This target has never been
publicly exploited, to the best of our knowledge.
Our work empowers security researchers by demonstrating how to regain control over
vendor-locked TEEs, enabling deeper analysis of critical security
mechanisms like mobile payments, DRM, and biometric authentication.
