Not To Be Trusted - A Fiasco in Android TEEs (39c3)

Trusted Execution Environments (TEEs) based on ARM TrustZone form the backbone of modern Android devices' security architecture. The word "Trusted" in this context means that **you**, as in "the owner of the device", don't get to execute code in this execution environment. Even when you unlock the bootloader and Magisk-root your device, only vendor-signed code will be accepted by the TEE. This unfortunate setup limits third-party security research to the observation of input/output behavior and static manual reverse engineering of TEE components. In this talk, we take you with us on our journey to regain power over the highest privilege level on Xiaomi devices. Specifically, we are targeting the Xiaomi Redmi 11s and will walk through the steps necessary to escalate our privileges from a rooted user space (N-EL0) to the highest privilege level in the Secure World (S-EL3). We will revisit old friends like Trusted Application rollback attacks and GlobalPlatform's design flaw, and introduce novel findings like the literal fiasco you can achieve when you're introducing micro kernels without knowing what you're doing. In detail, we will elaborate on the precise exploitation steps taken and mitigations overcome at each stage of our exploit chain, and finally demo our exploits on stage. Regaining full control over our devices is the first step to deeply understand popular TEE-protected use cases including, but not limited to, mobile payment, mobile DRM solutions, and the mechanisms protecting your biometric authentication data. We present novel insights into the current state of TEE security on Android focusing on two widespread issues: missing TA rollback protection and a type confusion bug arising from the GlobalPlatform TEE Internal Core API specification. Our results demonstrate that these issues are so widespread that on most devices, attackers with code execution at N-EL1 (kernel) have a buffet of n-days to choose from to achieve code execution at S-EL0 (TA). Further, we demonstrate how these issues can be weaponized to fully compromise an Android device. We discuss how we exploit CVE-2023-32835, a type confusion bug in the keyinstall TA, on a fully updated Xiaomi Redmi Note 11. While the keyinstall TA shipped in the newest firmware version is not vulnerable anymore, the vulnerability remains triggerable due to missing rollback protections. To further demonstrate how powerful code execution as a TA is, we'll exploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek SoCs), to achieve code execution at S-EL3. Full privilege escalations in the TEE are rarely seen on stage, and we are targeting the BeanPod TEE which is based on the Fiasco micro kernel. This target has never been publicly exploited, to the best of our knowledge. Our work empowers security researchers by demonstrating how to regain control over vendor-locked TEEs, enabling deeper analysis of critical security mechanisms like mobile payments, DRM, and biometric authentication. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/not-to-be-trusted-a-fiasco-in-android-tees