Mobile payments: are they really safe?
So far, the “Secure World ”by Qualcomm it was held to be something impenetrable. Accordingly, all information about our credit / debit cards, along with others sensitive and personal information stored on our smartphones, they are saved directly in the so-called “Secure World”. But are our mobile payments really that safe?
After a 4-month study, Check Point Researchthe Threat Intelligence division of Check Point Software Technologies Ltd., the leading solutions provider of cybersecurity globally, it has debunked the belief that the “Secure World” of Qualcomm is hacker-proof. The Qualcomm system has always been recognized by industry experts as the safer compartment of our smartphones. Check Point’s research reveals, however, the existence of one do it which only allows hackers to steal our mobile payment information.
Smartphones and Qualcomm
It is well known that “pure” software solutions have gods safety limits. In fact, protected storage systems based on pure software mechanisms lack important hardware security specifications and therefore, they expose data to a wider range of threats. The software Android By itself it has the same security limitations that Qualcomm addresses through hardware-based features. To overcome this limitation, the Android runtime must be protected from both attackers and users. This is usually achieved by moving protected storage software to a TEE (Trusted Execution Environment) supported by hardware.
Mobile operating systems, such as Android, offer a Rich Execution Environment (REE), which provides an extremely large and versatile runtime environment. While providing flexibility and capability, REE makes devices vulnerable to a wide range of security threats. The TEE is designed for reside next door to the REE and provide a secure area on the device to protect assets and execute secure code.
Qualcomm’s TEE is based on technology ARM TrustZone. TrustZone is a set of security extensions on ARM architecture processors that provide a secure virtual processor backed by hardware-based access control. This secure virtual processor is often referred to as the “Secure World”, as opposed to the “non-secure world”, where the REE resides. In 2018, it was documented that Qualcomm led the processor market with a 45% share.
Check Point discovered the open flaw
In a 4-month research project, Check Point researchers were able to find the flaw in Qualcomm’s “Secure World” operating system. The researchers exploited the technique of “fuzzing”To expose the flaw regarding mobile payments. Fuzzing (or fuzz testing) is a technique used for identify coding errors and security holes in software, operating systems or networks. It is about sending huge amounts of random data, called fuzzto the system under test in order to cause it to crash.
Check Point Research has disclosed its findings responsibly. Qualcomm acknowledged the study findings and corrected the vulnerability (CVE-2019-10574). The blog post (in English) of the study is available at this link.