Being the highest market share smartphone manufacturer, Samsung conducts a series of protection on Android called Knox Platform to ensure the security of its smartphones. During the booting process, Samsung uses S-boot (Secure Boot) to make sure it can only boot a stocked image. If the device tries to boot a custom image, it will trip a one-time programmable bit e-fuse (a.k.a Knox bit). Once a trustzone app (trustlet) detects the Knox bit tripped, it will delete the encryption key for the sensitive data to prevent unauthorized data access to the locked phone. In this presentation, we’ll present several vulnerabilities we found in S-Boot that are related to USB request handling.
By Cheng-Yu Chao, Hung Chi Su and Che-Yang Wu
Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefings/schedule/#breaking-samsungs-root-of-trust-exploiting-samsung-s-secure-boot-20290