Hack a secure SoC once & have a backdoor forever: a practical attack on Dell/Broadcom ControlVault. 💻🧠☢️🩻🤬

Security researcher Philippe Laulheret shared in his presentation some serious vulnerabilities in Dell/Broadcom ControlVault secure-hub hardware (BCM5820x) and firmware (ControlVault 3/3+). Quite impressive, to be honest.

What the author achieved:

1️⃣ Dumped on-chip keys (OTP/fuse keys; HMAC/AS keys).

2️⃣ Permanently modified the application firmware (a persistent implant).

3️⃣ Bypassed Windows Hello fingerprint authentication (made fingerprint checks always return “yes”).

4️⃣ Escalated to SYSTEM on Windows by corrupting a biometric-adapter stack frame.

And it’s all because the ControlVault host API binaries for Linux were compiled with publicly available debug symbols. 🏆

More details:

ReVault! Compromised by your Secure SoC [Youtube]: https://lnkd.in/dHc6KMW3