Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor’s TrustZone secure execution environment.
The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.
“In this work, we demonstrate how to solve key challenges to perform the most powerful cross-core cache attacks Prime+Probe, Flush+Reload, Evict+Reload, and Flush+Flush on non-rooted ARM-based devices without any privileges. Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen,” the researchers wrote in their paper, which was presented at the USENIX Security Symposium this week.
In the techniques the team of Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard developed, they consider an attacker who is using a malicious app on a target Android phone. The app doesn’t need any permissions whatsoever and the phone doesn’t need to be rooted for their attacks to work. The team has released on GitHub the code they used in their attacks.
“Our proof-of-concept attacks exploit shared libraries and binaries from Android apk files to infer key strokes. The cache template attack technique we used for these attacks is generic and can also be used to attack any other library. For instance, there are various libraries that handle different hardware modules and software events on the device, such as GPS, Bluetooth, camera, NFC, vibrator, audio and video decoding, web and PDF viewers. Each of these libraries contains code that is executed and data that is accessed when the device is in use,” the paper says.
“Thus, an attacker can perform a cache template attack on any of these libraries and spy on the corresponding device events. For instance, our attack can be used to monitor activity of the GPS sensor, bluetooth, or the camera. An attacker can record such user activities over time to learn more about the user.”
In an email, Gruss said there may end up being other attack vectors for these techniques, as well.
“The app would require no privileges at all. In future we might even see working attacks through websites as we have already seen on x86 architectures,” Gruss, a doctoral student at Graz University of Technology, said.
In addition, the team also found a method for implementing a cache attack against the TrustZone security environment in ARM-based devices. The attack gathers information from TrustZone that should not be accessible to non-TrustZone processes.
“Our observations showed that a Prime+Probe attack on the TrustZone is not much different from a Prime+Probe attack on any application in the normal world. However, as we do not have access to the source code of the TrustZone OS or any trustlet, we only conduct simple attacks. We show that Prime+Probe can be used to distinguish whether a provided key is valid or not. While this might also be observable through the overall execution time, we demonstrate that the TrustZone isolation does not protect against cache attacks from the normal world and any trustlet can be attacked,” the researchers said.
“We evaluated cache profiles for multiple valid as well as invalid keys. We performed Prime+Probe before and after the invocation of the corresponding trustlet, i.e., prime before the invocation and probe afterwards. We clearly see a difference in some sets (cache sets 250–320) that are used during the signature generation using a valid key. These cache profiles are reproducible and can be used to distinguish whether a valid or an invalid key has been used in the TrustZone. Thus, the secure world leaks information to the non-secure world.”
The researchers said that although they presented several different techniques for cache attacks on ARM devices, there likely are many more.
“The presented example attacks are by no means exhaustive and launching our proposed attack against other libraries and apps will reveal numerous further exploitable information leaks. Our attacks are applicable to hundreds of millions of today’s off-the-shelf smartphones as they all have very similar if not identical hardware,” the paper says.
Gruss said that defending against these attacks is not an easy thing to do.
“Mitigating these attacks has shown to be really difficult. There is on-going research on mitigating attacks, i.e. there is no satisfying solution yet,” Gruss said. “What we know: we can make attacks harder by restricting access to information and interfaces that facilitate the attack, for instance physical address information and flush instructions.”