Niek Timmers

About

Niek brings over 10 years of expertise to the device security field. With a background in System and Network Engineering and an intrinsic interest, he's able to digest the complexities of device security efficiently.

He shared his research with the community at various security and academic conferences, as well as journals, such as Black Hat, Bluehat, Usenix WOOT, hardwear.io, FDTC and PoC||GTFO.

He gave trainings at HITB, hardwear.io and Ringzer0.

Speaking Topics & Expertise

Areas of Expertise

Embedded Linux Security

Linux Security

Secure Boot

Presentation Types

Technical Talk

Workshop

Lightning Talk

Demo

Audience Types

Security Engineers

Engineers

Developers

Penetration Testers

Security Professionals

Red Team

Blue Team

Researchers

Speaking History

2021

Exploiting QSEE, the Raelize Way!

HITBSecConf 2021 Amsterdam

May 27, 2021

Amsterdam

Technical Talk

Conference

Hardware Hacking

IoT Security

Modern devices are nowadays often equipped with a Trusted Execution Environment (TEE) to support secure parallel execution of security critical use cases. For example, it’s very likely a TEE is involved whenever you make a payment or watch a DRM-protected stream on your mobile phone. Nonetheless, we were surprised and intrigued at the same time, to find the Qualcomm TEE named QSEE present on several Qualcomm IPQ40xx-based networking devices.

We’ve identified multiple exploitable vulnerabilities in QSEE which we exploited to achieve arbitrary code execution. Qualcomm indicated to us that fixes are available and that their customer are notified. This gives us the opportunity to discuss the technical details of these vulnerabilities and our exploits.

At Raelize, we like to look further than just software vulnerabilities. We know very very well that the security of a device is determined by more than just its software architecture. Our system-level perspective on security typically steers us towards attacking devices using a-typical methods. We decided to test the resilience of the Qualcomm IPQ40xx SoC towards Electromagnetic Fault Injection (EMFI) attacks. We have been able to fully compromise the TEE without leveraging any software vulnerability. As far as we know, this is one of the very few examples where Fault Injection is used to attack a TEE in order to achieve arbitrary code execution.

In this talk, we start by introducing the target after which we dive right into the technical details of both the software and hardware vulnerabilities we’ve identified. Then, we describe how we used these vulnerabilities in order to achieve code execution within QSEE. We finalize the talk by placing the attacks into context and analyzing the impact for a vulnerable device.

It’s important to raelize that these vulnerabilities are tightly coupled to the hardware that’s used to produce these devices. Therefore, the amount of vulnerable devices in the field is likely significant. It has to be seen if the vulnerable population decreases any time soon as the software vulnerabilities are present in a component that’s not often updated by the device manufacturers. The hardware vulnerabilities simply cannot be fixed easily.

View Slides & Materials