Six exploitable flaws in chipsets used by Huawei, Qualcomm, MediaTek and NVIDIA were found in popular Android handsets, according to a report by University of California at Santa Barbara computer scientists. Each of the flaws exist in phones sold by Huawei, Sony and Google, and are tied to each of the phones’ bootloader firmware.
The vulnerabilities allow an adversary with an existing foothold on phones to break the Chain of Trust during the boot-up sequence. The so-called Chain of Trust is part of Google’s Verified Boot process that validates device integrity and component authenticity during the boot-up sequence.
“An attacker has to have root capabilities over a phone to exploit one of these six vulnerabilities,” said Nilo Redini, one of the nine computer scientists who coauthored the report (PDF). “One might say, ‘Well if they have root access, that’s already game over. Why even bother?'”
Redini explained to Threatpost that some bootloaders operate with a privilege higher than necessary. “If one can compromise a bootloader, they could achieve more than root capabilities and, for example, interfere with ARM’s TrustZone,” he said.
TrustZone is a System on Chip (SoC) used widely on Android handsets and is supposed to be a walled-off secure area running outside the main processor and operating system. It handles highly sensitive processes such as device encryption.
“We evaluated bootloaders from four major device manufacturers, and discovered six previously unknown memory corruption or denial of service vulnerabilities, as well as two unlock-bypass vulnerabilities,” Redini said.
Researchers used a custom-built tool called BootStomp to identify each of the vulnerabilities. Of the six vulnerabilities found using BootStomp, five of them were confirmed by the vendors. A seventh bug was also discovered by researchers, but it was a known denial of service flaw (CVE-2014-9798) affecting an older version of Qualcomm’s bootloader.
“Some of these vulnerabilities would allow an adversary with root privileges on the Android OS to execute arbitrary code as part of the bootloader. This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking). Our tool also identified two bootloaders that can be unlocked by an attacker with root privileges on the OS.” according to the report presented at the recent USENIX conference in Vancouver, Canada.
In the report, researchers singled out Huawei’s bootloader describing the flaw it found as “quite severe” given it allowed attackers to break the Chain of Trust, gain persistence in the device and make an attack difficult to detect.
The research examined four bootloaders made by Qualcomm, HiSilicon Kirin (found in Huawei), NVIDIA’s hboot (found in Nexus9) and Mediatek (found in Sony Xperia XA). Researchers said vendors have confirmed the vulnerabilities and have made patches available. It’s unclear if those patches have been deployed to handsets as part of Google’s monthly Android Security Bulletin.