Coprocessor Attacks: the Hidden Threat

Written by

Botnets, DDoS and ransomware attacks, vulnerabilities in Internet of Things devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These same issues continue to be omnipresent, but a sleeper threat – and therefore one of the most significant risks - is so-called coprocessors.

Coprocessors are useful; they are purpose-built to perform specific functions and are an integral part of today’s incredibly powerful and efficient smartphones. In short, they offload resource-intensive (e.g. cryptographic operations) or highly specialized tasks from the main processor, simplifying development and boosting system performance.

Instead of doing things like running apps, they control functions like cellular and Wi-Fi radios on behalf of the main processor. As such, they have become central to the evolution of smartphones.

Firmware vulnerabilities
There is a problem though. Coprocessors typically run their own firmware which—like any other computer code—can be vulnerable to attack. Because they have a privileged communication path to the main processor, compromised coprocessors give an attacker a method of bypassing other security controls.

These attacks are not just theoretical. Google’s Project Zero, a team of security analysts employed by Google tasked with finding zero-day vulnerabilities, have run proof-of-concepts illustrating how these attacks can be carried out on Android and iOS devices by exploiting Wi-Fi coprocessors.

Modern operating systems employ many different hardening techniques, including the removal or restriction of “super-user” accounts and privileges, code signing, and strict application sandboxing, but the majority of these enhancements apply to code running on the main application processor.

Coprocessors overlooked?
However, coprocessors have tended to be overlooked. Security is a cat-and-mouse game and as vulnerabilities are identified and resolved, attackers must seek new avenues to exploit. Coprocessors are one such new—and relatively unprotected—avenue, making them a ripe target.

It is not so difficult to do, as coprocessors are designed to be used by multiple Original Equipment Manufacturers (OEMs), these OEMs need access to the firmware and relevant documentation to build the coprocessors into their device designs. While the documentation isn’t strictly public or open-source, it is readily available.

The Google Project Zero team, for example, began their initial investigation by looking at product data sheets available on a chip manufacturer’s website. With access to this sort of information, attackers have a head start in identifying vulnerabilities.

Game over
When an attacker gains entry at the firmware level, it’s game over. They have access to all apps and all the data or databases an app has access to. Login credentials are exposed as well as GPS, contact information, bank accounts, in fact every single thing on the device. The IP address can also be used for hacking and the device can even be used as a spyware tool.

Attacks will follow a predictable and well-trod path. Sophisticated attackers will identify and exploit the vulnerabilities and—while they will try to keep their methods and tools to themselves for as long as possible—they will eventually become common knowledge.

As with all techniques, attacking smartphones at the firmware level will be ‘democratized’ over time as the vulnerabilities and methods become better understood. While early attacks will be narrowly focused and perpetrated by specific actors with particular objectives, once the information becomes widespread, the focus will shift to “crimes of opportunity” with attackers of varying skill level and intent gaining access simply because they can.

Protective measures
So what protective measures can be taken? Enterprise mobile management needs to be a given. It enables enterprises to develop a management infrastructure that can track and trace firmware updates from OEM manufacturers.

This ensures that updates are applied automatically and it also blocks devices that have not been updated from accessing corporate resources. For fleets of corporate devices, it’s the ideal tool but can also be used in BYOD situations.

Cloud-based enterprise mobile management provides even greater flexibility. It helps simplify mobile management and security across different operating systems such as iOS, Android, and Windows platforms and remotely wipes corporate data if a device is lost, stolen, or compromised.

Red flags
Coprocessor vulnerabilities are an opportunity waiting to be exploited by attackers and it’s inevitable this will happen. The red flag is that, when these attacks begin, victims likely won’t be aware of what has happened until after the event when the damage is done, whether this is the loss of sensitive corporate data or devices remotely taken over.

With measures such as the GDPR set to come into effect in May, the penalties go far beyond embarrassing headlines and a PR crisis. With fines of up to £20 million or 4 per cent of global turnover for loss of customer data, coprocessor attacks represent one more threat that organizations must be prepared to defend against. 

What’s hot on Infosecurity Magazine?