A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device.
The situation is a dream for law enforcement or a forensics outfit wishing to gain root access to a targeted device. Android researcher Jon Sawyer on Wednesday publicly disclosed the situation, which he’s called Pork Explosion as a swipe at what he calls overhyped and branded vulnerabilities.
“As a physical threat, it’s bad; game over,” Sawyer said. “It’s easy to do and you get complete code execution on the device, even if it’s encrypted or locked down. It’s exactly what a forensics company or law enforcement officials would love to have.”
The backdoor was found in a bootloader built by Foxconn, Sawyer said. Foxconn builds phones and some low level software for firmware. Two vendors’ devices have been impacted so far—InFocus’ M810 and Nextbit’s Robin phones—but Sawyer cautioned that there are likely more.
An attacker with access to the device can connect to it via USB, run commands and gain a root shell with SELinux disabled and without the need for authentication to the device. This opens the door not only to extract data stored on a password-protected or encrypted device, but also to brute-force attacks against encryption keys or unlocking a bootloader without resetting user data.
Sawyer published a timeline starting with his discovery on Aug. 31. He disclosed the issue to Nextbit CTO Mike Chan on the same day, and attempted through the Android Security Team and Qualcomm’s Product Security Initiative, to report the issue to Foxconn. Sawyer said he has had zero success in the past contacting Foxconn with other issues and this experience was no different. Nextbit, meanwhile, published a fix for its devices on Tuesday, a day before Sawyer’s disclosure.
“I reached out to Google and Qualcomm because their security teams have a better relationship with Foxconn,” Sawyer said. “But as far as I’m aware, there’s been nothing from Foxconn.”
Sawyer said exploitation is relatively simple.
“You just plug in a USB and run a program on your computer, and five seconds later, you’re sitting at a compromised device,” he said. “You have root and no SELinux, which is disabled in bootmode. It’s suddenly back to 2011. Game over.”
Sawyer explained that he found the issue in the leftover debugging feature while examining the Robin phone’s application bootloader, which is built on Qualcomm Ik bootloader code and customized by Foxconn. He said a particular fastboot command “seemed out of place.” Fastboot is a utility and protocol used to communicate with the bootloader, and to flash firmware. It comes in the Android SDK and devices can be booted into this mode over USB in order to re-flash partitions or file system images on a device. Sawyer said he built a custom client that would support a reboot command that would put the device into a factory test mode. In the test mode, he said the Android Debug Bridge (ADB) runs as root and SELinux is disabled, allowing an outsider to compromise the device, bypassing authentication controls.
Sawyer said all manufacturers use these factory test modes, but most do not ship them on production devices.
Pork Explosion, meanwhile, he hopes, will call out the continued branding of vulnerabilities.
“We just saw Quadrooter, which were four great vulnerabilities, but they received so much [public relations attention] over something that was just another kernel vulnerability,” Sawyer said. “It was nothing special, and neither is this. It just happens. Vulnerabilities deserve attention and should be fixed, but they don’t deserve PR firms pushing them. It just scares the customer.”