Up until recently, Qualcomm’s “Secure World” had been thought to be impenetrable, with countless mobile phone users storing their credit/debit card information, along with other sensitive, personal information, directly into storage in Qualcomm’s “Secure World”.

Now, through a 4-month research study, Check Point Research has dispelled the belief that Qualcomm’s “Secure World”—dubbed by industry experts as the safest component of our mobile phones—is breach-proof by cyber hackers.

Check Point’s research reveals that a gaping hole exists, uniquely enabling cyber hackers to steal our mobile payment information.

Nearly half of mobile phones globally entrust Qualcomm

It is well known that pure software solutions have security limitations. Android software by itself has the same security limitations, which Qualcomm has addressed through hardware-based features. This is typically achieved by moving the secure storage software to a hardware supported Trusted Execution Environment (TEE).

On Qualcomm technology, TEE is based on ARM TrustZone technology, a set of security extensions on ARM architecture processors providing a secure virtual processor backed by hardware-based access control. This secure virtual processor is often referred to as the “secure world”, in comparison to the “non-secure world”. In 2018, it was documented that Qualcomm led the processor market at 45% revenue share. 

How the secure world was compromised

In a 4-month research project, Check Point researchers attempted and succeeded to reverse Qualcomm’s “Secure World” operating system. Check Point researchers leveraged the “fuzzing” technique to expose the hole. Fuzz testing (fuzzing) is a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks. It involves inputting massive amounts of random data, called fuzz, to the test system in an attempt to make it crash. 

Check Point implemented a custom-made fuzzing tool, which tested trusted code on Samsung, LG, Motorola devices. Through “fuzzing”, Check Point found four vulnerabilities in trusted code implemented by Samsung (including S10), 1 in Motorola, 1 in LG, 1 related to LG, but all code sourced by Qualcomm itself. Hence, it has been proved that programmers of all the best vendors and Qualcomm made mistakes in their code! 

What mobile phone users should do

Check Point Research urges mobile phone users to stay vigilant and check their credit and debit card providers for any unusual activity. In the meantime, the company is working with the vendors mentioned to issue patches.