Presented at
Black Hat Asia 2021 Virtual,
May 6, 2021, 1:30 p.m.
(30 minutes)
<div><span>Widevine is a DRM solution, and QTEE is the TrustZone implement of Qualcomm, both running on billions of devices. In this presentation, we will share our latest study of Widevine on QTEE. We will first explain why QTEE and Widevine are high-value targets and share the basics about them in brief. After the opening, we will show how to locate the command handling logic and get the logic explained to show how we found a vulnerability.</span></div><div><span><br><br></span></div><div><span>With the vulnerability in hand, we need the following in order to achieve the exploit:</span></div><div><span>1. We need to know the memory model of a QTEE TA, especially how commands are delivered and how buffers are shared between the two worlds. Another vulnerability is put forward to do information leak with the model.</span></div><div><span>2. We need to know where the TA is loaded and find a way to break ASLR.</span></div><div><span>3. We need to find a memory layout to access TA from the user-controlled location.</span></div><div><span><br><br></span></div><div><span>After the above is resolved, we will put them together to exploit the Widevine TA and extract data from SFS, the trusted storage of QTEE.</span></div><div><span><br><br></span></div><div><span>Prior knowledge is not mandatory but is recommended.</span></div>
Presenters:
-
Qi Zhao
- Security Researcher, Qihoo 360
Qi Zhao (a.k.a. Hyrathon) is a researcher from 360 Alpha Lab. He received his master's degree in Information Security from Beijing University of Posts and Telecommunications. He is now focusing on mobile platform related targets, including TrustZone, NFC, and Media Codecs. He has found and submitted tens of vulnerabilities to top vendors like Google, Huawei, and Qualcomm. He was also a speaker at HITCON 2019.
Links:
Similar Presentations: