GET

Event Detail

GET /congress/2025/event/f8587f46-8a0e-58d7-8d1d-82928b8220e2/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": "f8587f46-8a0e-58d7-8d1d-82928b8220e2",
    "kind": "official",
    "name": "Not To Be Trusted - A Fiasco in Android TEEs",
    "slug": "not-to-be-trusted-a-fiasco-in-android-tees",
    "url": "https://api.events.ccc.de/congress/2025/event/f8587f46-8a0e-58d7-8d1d-82928b8220e2/?format=api",
    "track": "security",
    "assembly": "ccc",
    "room": "85a6ba5d-11d9-4efe-8d28-c5f7165a19ce",
    "location": null,
    "language": "en",
    "description": "We present novel insights into the current state of TEE security on \r\nAndroid focusing on two widespread issues: missing TA rollback \r\nprotection and a type confusion bug arising from the GlobalPlatform TEE \r\nInternal Core API specification.\r\nOur results demonstrate that these issues are so widespread that on most\r\n devices, attackers with code execution at N-EL1 (kernel) have a buffet \r\nof n-days to choose from to achieve code execution at S-EL0 (TA).\r\n\r\nFurther, we demonstrate how these issues can be weaponized to fully \r\ncompromise an Android device. We discuss how we exploit CVE-2023-32835, a\r\n type confusion bug in the keyinstall TA, on a fully updated Xiaomi \r\nRedmi Note 11.\r\nWhile the keyinstall TA shipped in the newest firmware version is not \r\nvulnerable anymore, the vulnerability remains triggerable due to missing\r\n rollback protections.\r\n\r\nTo further demonstrate how powerful code execution as a TA is, we'll \r\nexploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek \r\nSoCs), to achieve code execution at S-EL3. Full privilege escalations in\r\n the TEE are rarely seen on stage, and we are targeting the BeanPod TEE \r\nwhich is based on the Fiasco micro kernel. This target has never been \r\npublicly exploited, to the best of our knowledge.\r\n\r\nOur work empowers security researchers by demonstrating how to regain control over \r\nvendor-locked TEEs, enabling deeper analysis of critical security \r\nmechanisms like mobile payments, DRM, and biometric authentication.",
    "schedule_start": "2025-12-27T20:30:00+01:00",
    "schedule_duration": "01:00:00",
    "schedule_end": "2025-12-27T21:30:00+01:00"
}