Breaking Chains: Hacking Android Key Attestation
Black Hat USA 2025 · Day 1 · Briefings
Android Key Attestation, intended to guarantee that cryptographic keys live inside tamper-resistant hardware, contains a cluster of PKI implementation flaws — many rooted in a Google-vended reference library that went without a formal CVE for years. Researcher Alex discovered that the library's certificate extension validation is broken in ways that allow a software key stored in plain memory to be falsely presented as hardware-backed, effectively defeating bot-fraud countermeasures. A real-world deployment saw bot traffic fall from 30% to 2% once the library was fixed. ---
AI review
Alex from Amazon found a cluster of PKI implementation bugs in the official Google attestation library that the industry has been trusting since 2016 — including a certificate extension attack that allows software keys to impersonate hardware-backed ones. The 30% to 2% bot traffic drop is the empirical validation that this matters operationally. The disclosure story is a disaster.