Presented at
Black Hat USA 2020 Virtual,
Aug. 5, 2020, 1:30 p.m.
(40 minutes).
Being the highest market share smartphone manufacturer, Samsung conducts a series of protection on Android called Knox Platform to ensure the security of its smartphones. During the booting process, Samsung uses S-boot (Secure Boot) to make sure it can only boot a stocked image. If the device tries to boot a custom image, it will trip a one-time programmable bit e-fuse (a.k.a Knox bit). Once a trustzone app (trustlet) detects the Knox bit tripped, it will delete the encryption key for the sensitive data to prevent unauthorized data access to the locked phone.
In this presentation, we'll present several vulnerabilities we found in S-Boot that are related to USB request handling. By exploiting these vulnerabilities, we're allowed to bypass the mitigation of S-boot through the USB device and obtain code execution in early boot stage. In other words, as long as we have the phone (whether locked or not) and an USB-C connector, we'll be able to boot a custom image without tripping the Knox bit, allowing us to retrieve sensitive data from a locked device.
We will also describe how we discover and exploit the vulnerabilities in detail, demonstrate the exploit on a Samsung Galaxy S10 smartphone, and discuss the possible impact of these vulnerabilities.
Presenters:
-
Cheng-Yu Chao
- Senior Researcher, TeamT5
<span>Cheng-Yu Chao (also known as Jeffxx) is a member of Chroot - the top private hacker group in Taiwan. </span><span>He has been taking part in CTF competitions for over 10 years, is a member of HITCON and 217 CTF teams which achieved second place at Defcon CTF 22 & 25. </span><span>He has also presented at HITCON and PoC conferences. </span><span>He is now focusing on Mobile and IoT security, particularly exploitation techniques.</span>
-
Hung Chi Su
- Senior Researcher, TeamT5
<span>Hung Chi Su (also known as atdog) is a member of Chroot - the top private hacker group in Taiwan. </span><span>He has been taking part in CTF competitions for over 10 years, is a member of HITCON and 217 CTF teams which achieved second place at Defcon CTF 22 & 25. </span><span>He is now focusing on Mobile and IoT security, particularly exploitation techniques.</span>
-
Che-Yang Wu
- Senior Researcher, TeamT5
<div>Che-Yang Wu (Sean Wu) is a Senior Researcher of TeamT5. He is also a member of HITCON and 217 CTF teams and has been participating CTF competitions for many years. He is now focusing on Mobile and IoT security, particularly exploitation techniques.</div>
Links:
Similar Presentations: