Qualcomm technology which was manufactured to safely store private cryptographic keys has been found to be plagued with a security bug. The bug has been found in Qualcomm chipsets and is said to be paving way for Android malware which can potentially steal access to victims’ online accounts.
The implemention of the technology should be such that even if the Android’s OS has been exploited, the Qualcomm Secure Execution Environment, also known as QSEE should be beyond the reach of exploit and hence, unassailable. However, due to some imperfections in the implementation, such is not the case.
One can go about manipulating the system and leaking the private stored keys into the QSEE, as per a researcher with cybersecurity firm NCC Group, Keegan Ryan.
Ryan documented the vulnerability and came out with a conclusion that the flaw could bave been used by a hacker to exploit the way mobile apps let users sign in on smartphones. After entering the password, a cryptographic key pair would be generated by the app, which can be employed to make sure that all login attempts in the future are from the same device.
Referenced from the statements given by Ryan to PCMag,
“However, if an attacker uses this vulnerability to steal the key pair, the attacker can impersonate the user’s device from anywhere in the world, and the user cannot stop it by powering down or destroying their device,”
“The attacker can run the malware one time, and extract the key. They now have permanent and unrestricted ability to create (authentication) signatures,” he further added.
The patch is expected to roll out in April itself along with Android’s security update.