Open sushi2k opened 5 years ago
There are no mitigating steps apparently: only "upgrade your device"? if it only leaks ecdsa, we could recommend, for older devices that might not have been patched, to not use ecdsa keys?
Let's use this as an example when describing MSTG‑STORAGE‑14 in the MSTG, to demonstrate this as defense-in-depth requirements, "Android developers who use the keystore in their applications can also take advantage of the user authentication requirements and key attestation offered by the keystore." Including your suggestion to consider not using ECDSA on older devices due to this issue.
Maybe we can extend this issue wirth the take-aways from https://android-developers.googleblog.com/2019/09/trust-but-verify-attestation-with.html?m=1 ?
Describe the issue Mitigating steps to address a new attack form NCC against Qualcomm backed key stores should be added to MSTG.
https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/