Skip to content
.ca
sign in
4 minhigh

What we learned about TEE security from auditing WhatsApp's Private Inference

An audit of WhatsApp's Private Inference feature revealed critical implementation flaws in its Trusted Execution Environment (TEE) deployment. Vulnerabilities included unmeasured environment variables, unverified ACPI tables, and missing attestation freshness guarantees, which could have allowed attackers to bypass privacy protections and access plaintext data before Meta patched the issues.

Conf:highAnalyzed:2026-04-07reports

Authors: Trail of Bits

VulnerabilityAMD SEV-SNPWhatsAppTEEAttestation

Source:Trail of Bits

Key Takeaways

  • WhatsApp's Private Inference TEE implementation contained 28 vulnerabilities (8 high-severity) prior to launch, all of which have been patched by Meta.
  • Unmeasured environment variables allowed potential malicious code injection (e.g., via LD_PRELOAD) without invalidating the TEE attestation.
  • Unmeasured ACPI tables could allow a malicious hypervisor to inject fake devices and read/write protected memory.
  • Attestation reports lacked freshness guarantees, enabling potential replay attacks using compromised TLS keys.
  • Firmware patch levels were trusted based on claims rather than verified against cryptographic certificates like AMD's VCEK.

Affected Systems

  • WhatsApp Private Inference
  • AMD SEV-SNP
  • Nvidia confidential GPUs
  • Trusted Execution Environments (TEEs)

Vulnerabilities (CVEs)

  • TOB-WAPI-13 (Audit Finding)
  • TOB-WAPI-17 (Audit Finding)
  • TOB-WAPI-8 (Audit Finding)
  • TOB-WAPI-7 (Audit Finding)
  • TOB-WAPI-10 (Audit Finding)
  • TOB-WAPI-18 (Audit Finding)

Attack Chain

A malicious insider or compromised hypervisor targets the TEE boot and attestation process. The attacker injects malicious environment variables or alters ACPI tables before the enclave fully secures its memory, successfully bypassing attestation measurements. Once the enclave boots, the injected code or fake hardware devices extract plaintext user messages or encryption keys from the TEE. Alternatively, the attacker replays a stolen, stale attestation report to spoof a legitimate Meta server and intercept client connections.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — TEEs are explicitly designed to be opaque to the host operating system, preventing traditional EDR agents from introspecting enclave memory or execution. Network Visibility: Medium — Network sensors can observe TLS handshakes and potentially analyze attestation payloads for missing nonces or freshness indicators. Detection Difficulty: Very Hard — Detecting these flaws requires specialized instrumentation of the hypervisor and TEE boot sequence, as well as deep inspection of cryptographic attestation validation.

Required Log Sources

  • TEE attestation logs
  • Secure bootloader logs
  • Hypervisor logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Clients or servers are accepting TEE attestation requests that lack cryptographic freshness nonces (e.g., TLS client_random), indicating a potential replay attack.Network traffic (TLS handshakes), Application authentication logsCredential Access/Defense EvasionLow
Unexpected or unmeasured environment variables are being passed to the TEE during the secure boot sequence.Hypervisor logs, Secure bootloader logsExecutionMedium

Control Gaps

  • Traditional EDR cannot inspect TEE memory.
  • Standard network IDS cannot decrypt TEE-bound traffic.

Key Behavioral Indicators

  • Mismatched firmware patch levels in attestation vs. VCEK certificates
  • Missing client_random nonces in attestation reports
  • Unexpected environment variables in TEE boot configuration

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Validate all environment variables passed to TEEs, restricting them to safe characters and explicitly blocking dangerous variables like LD_PRELOAD.

Infrastructure Hardening

  • Implement custom bootloaders that verify ACPI table signatures during the secure boot process.
  • Validate TEE firmware patch levels against cryptographic certificates (e.g., AMD VCEK X.509 extensions) rather than relying on self-reported claims.

User Protection

  • Ensure client applications enforce attestation freshness by including a TLS client_random nonce in every attestation report to prevent replay attacks.

Security Awareness

  • Conduct comprehensive negative testing on TEE components to evaluate system behavior under malicious inputs or misconfigurations.

MITRE ATT&CK Mapping

  • T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking
  • T1565.001 - Data Manipulation: Stored Data Manipulation
  • T1550 - Use Alternate Authentication Material

Additional IOCs

  • Command Lines:
    • Purpose: Example of environment variable injection used to force the system to load malicious code during startup. | Tools: LD_PRELOAD | Stage: Execution/Privilege Escalation | LD_PRELOAD=

Related