Hardware-Based Attacks on Secure Enclaves and Embedded Devices
Security researchers have demonstrated new hardware-based techniques to extract sensitive data from devices previously considered secure, including smartwatches and confidential computing servers. In one case, analysts revived the 'Blinkenlights' technique, adapting it to modern TFT screens to extract firmware from a budget smartwatch by exploiting a dial parser vulnerability. This allowed arbitrary memory content to be displayed on the device's screen, which was then captured using a high-speed Raspberry Pi Pico setup. The smartwatch, which contained fake health sensors and used a JieLi AC6958C6 system-on-chip, was found to have weak authentication and a flawed firmware parser, enabling the out-of-bounds read attack.
Separately, researchers from KU Leuven University presented a low-cost hardware attack called 'Battering RAM' at Black Hat Europe 2025, which targets secure CPU enclaves such as Intel SGX and AMD SEV. By using a $50 DDR4 interposer, the researchers manipulated memory address mapping at runtime, bypassing firmware mitigations and gaining unauthorized access to encrypted memory. This allowed them to extract platform provisioning keys, forge attestation reports, and implant persistent backdoors on protected virtual machines, raising concerns about the security of cloud infrastructures relying on these technologies.
Sources
Related Stories
TEE.Fail Side-Channel Attack Compromises Confidential Computing on DDR5 Systems
Academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack named **TEE.Fail** that enables the extraction of secrets from trusted execution environments (TEEs) in modern CPUs, including Intel's SGX and TDX, AMD's SEV-SNP, and even Nvidia's GPU Confidential Computing. The attack leverages a memory-bus interposition technique on DDR5 systems, using off-the-shelf equipment costing under $1,000, to physically intercept and analyze encrypted memory traffic. This method allows attackers with physical access and root privileges to extract cryptographic keys and forge attestation, undermining the security guarantees of confidential computing environments. TEE.Fail is the first attack demonstrated against DDR5-based TEEs, extending previous DDR4-focused research such as WireTap and BatteringRAM. The researchers found that architectural changes in recent server-grade CPUs, specifically the adoption of deterministic AES-XTS encryption without memory integrity and replay protections, have introduced exploitable weaknesses. The attack's success highlights significant risks for organizations relying on hardware-based confidential computing, as it enables the compromise of sensitive data and secure workloads even on fully updated, trusted systems.
4 months agoSecure Boot Bypass Vulnerability in Framework Linux Laptops via Signed UEFI Shells
Researchers from Eclypsium discovered that nearly 200,000 Linux-based Framework laptops and desktops were shipped with signed UEFI shell components containing a powerful 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections. The mm command, intended for low-level diagnostics and firmware debugging, provides direct read and write access to system memory, including critical security variables such as gSecurity2. By abusing this command, an attacker can overwrite the gSecurity2 variable with NULL, effectively disabling signature verification for all subsequent UEFI module loads and breaking the Secure Boot trust chain. This vulnerability allows attackers to load bootkits such as BlackLotus, HybridPetya, and Bootkitty, which can evade operating system-level security controls and persist even after OS reinstallation. The attack can be automated using startup scripts, ensuring persistence across reboots. The issue is not the result of a supply chain compromise or malicious intent, but rather an oversight in the inclusion of diagnostic tools signed with trusted certificates. Eclypsium's research highlights that these signed UEFI shells, while legitimate, function as backdoors that undermine the security model of Secure Boot. The presence of such tools in production devices exposes users to significant risk, as attackers can leverage them for pre-OS infections, espionage, sabotage, or ransomware attacks. The gaming industry has already seen commercial cheat providers exploiting similar UEFI-level bypasses, and the same techniques could be adopted by nation-state actors or advanced persistent threats. Framework has acknowledged the issue and is working on remediation, with fixes planned for affected models such as the Framework 13 (11th and 12th Gen Intel). The discovery underscores the broader risk of trusted, signed components containing powerful functionality that can be misused, and the need for rigorous review of firmware-level tools included in shipping devices. The vulnerability demonstrates that even systems marketed as secure and repairable can harbor critical flaws if diagnostic utilities are not properly restricted. The incident serves as a warning to hardware manufacturers and the security community about the dangers of trusted but overly permissive firmware components. Eclypsium's findings have prompted a reassessment of trust models in firmware security, emphasizing the importance of minimizing attack surfaces in pre-boot environments. The case also illustrates how attackers are increasingly targeting lower layers of the computing stack to achieve persistence and evade detection. Framework's response and the ongoing remediation efforts will be closely watched by the industry as a test case for responsible disclosure and mitigation of firmware-level threats.
5 months ago
Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported **hardware/firmware-level vulnerabilities in Android chip components** that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving **MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE)** that allowed rapid physical compromise: by connecting an affected phone to a laptop over **USB**, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and **cryptocurrency wallet seed phrases** (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly **one-quarter of Android phones**, disproportionately in lower-cost devices. Separately, Zimperium reported active exploitation of a **Qualcomm graphics zero-day** (**CVE-2026-21385**) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s *Repair Mode* primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
5 days ago