As mobile phones have gradually morphed into complete computing devices in the last few years with the advent of the iPhone and Android-based phones, mobile phone manufacturers and wireless carriers have been working to create new protection mechanisms to stop attacks against the increasingly complex platforms. But the companies also are fighting a seemingly futile battle against their own customers who are intent on jailbreaking or rooting their phones.
The most recent example of this came just last week when early buyers of the new HTC G2 Android-based phone sold by T-Mobile found that after rooting their phones and making some modifications, the devices would revert to their factory settings after a reboot. The customers soon started a thread in a support forum on the topic and the issue of rooting the HTC G2 became a hot topic in technical circles, as some people called out T-Mobile and HTC for supposedly adding a malicious rootkit to the G2.
Security experts say that the feature in the G2 that prevents permanent modifications to the device is not a rootkit, and is simply a function of the way that the phone’s storage works.
“In reality, the NAND storage on the phone is
simply ignoring any writes that have been made to the /system partition,
allowing it to be restored to a pristine state on each boot. Only authorized updates are able to make
permanent changes to the firmware on the NAND. Obviously that statement only holds true until someone figures out how
to bypass the mechanism,” said Jon Oberheide, a security researcher and co-founder of start-up Scio Security.
The G2 functionality is a clear example of just how interested device manufacturers and wireless companies are in preventing any sort of modifications to their devices, even those, like the G2, that are running a supposedly open operating system such as Android. Customers blamed T-Mobile for the modification, but the carrier said in a statement that HTC was responsible for the change.
“The HTC software implementation on the G2 stores some components in read-only memory as a security measure to prevent key operating system software from becoming corrupted and rendering the device inoperable. There is a small subset of highly technical users who may want to modify and re-engineer their devices at the code level, known as “rooting,” but a side effect of HTC’s security measure is that these modifications are temporary and cannot be saved to permanent memory. As a result the original code is restored,” the statement said.
The Android platform is a Google product and while the company has taken pains to position it as an open platform, Apple has made no such claims about its iPhone iOS software. Apple has gone to great lengths to stop iPhone owners from jailbreaking their phones, releasing a number of updates that rolled back modifications that users made.
But that really hasn’t had much effect on iPhone owners jailbreaking their devices, and it’s now a very common practice, with plenty of sites set up to help owners through the process. However, Apple hasn’t gone to the lengths of adding hardware protections to the iPhone to prevent jailbreaking or other modifications. And while the G2 scenario is unique up to this point, it is indicative of the direction that carriers and manufacturers are going in their efforts to stop not just attackers from modifying phones with malicious code, but to stop their customers from installing other operating systems and applications.
It’s a very difficult situation for companies such as Apple, HTC and others, especially with all of the resources at the disposal of attackers and device owners. In some ways, it’s turning into a mobile version of the old battle between desktop software makers and traditional attackers.
“The manufacturers are shipping devices into the hands of potentially malicious users. With hardware debuggers and everything else that people can get their hands on, it’s very difficult for them to stop this,” Oberheide said. “Attackers can buy untold numbers of your product and keep going until they win. Right now, it’s more of a hassle than anything.”
While the HTC G2 protection has prevented the current rooting attempts, it likely won’t be long before someone finds a way around that mechanism as well.