Trusted Kernel Exploit Used to Unlock Motorola Android Devices

A researcher looking for a way to jailbreak locked down Motorola Android devices found a loophole in hardware-embedded security system to do just that.

A researcher looking for a way to jailbreak locked down Motorola Android devices found a loophole in hardware-embedded security system to do just that.

Dan Rosenberg of Azimuth Security, a consultancy headquartered in Sydney, Australia, reported that he was able to exploit a vulnerability in the trusted kernel running inside Motorola’s latest Android devices, the Atrix HD, Razr HD, and Razr M, all of which run on the Qualcomm MSM8960 chipset.

Mobile hardware manufacturers make use of these security mechanisms integrated onto chips, such as ARM’s TrustZone, in order to give sensitive applications such as mobile payment applications or digital rights management an isolated environment on which to execute.  Motorola is one such phone maker that has integrated ARM TrustZones onto a number of its smartphones including the aforementioned Android devices.

Rosenberg said TrustZones are used for applications where there is a need to generate an encryption key that must be stored securely.

“TrustZones are a set of security extensions to the ARM processor that allows the phone to run a secure kernel alongside the main kernel running on the device,” Rosenberg said, adding that the secure kernel is set aside in regions of memory that even someone with administrative privileges on the kernel cannot access. The TrustZone has to enable kernel access for applications such as Google Wallet or other mobile payment apps, for example.

“Motorola used it as a way of controlling the bootloader unlocking process,” Rosenberg said. “I found a vulnerability in the TrustZone kernel running on these phones. I was able to exploit the TrustZone kernel, unlock the bootloader and then install any kind of OS.”

Different phones will employ different TrustZone kernels, Rosenberg said, meaning that other phones would not necessarily be vulnerable to the same exploit. Also, the risks with this particular exploit are low, Rosenberg said, adding that this issue does not put users at risk.

“These phones don’t support Google Wallet, for example, so there’s no risk of stealing money,” Rosenberg said. “You have to take it on a case-by-case basis. Vulnerabilities in TrustZones implementations can have security impacts; this one not so much. As the industry shifts toward relying on TrustZone kernels to do more security sensitive tasks, I’m sure people will be looking more and more into them.”

While Rosenberg’s work may have opened the door to further TrustZone research, he has gained favor with an Android culture very much against a locked-down ecosystem. Unlike Google Nexus devices which ship with an unlocked bootloader, most carriers and handset makers frown on enabling users to customize the operating system on their device and voluntarily voiding their warranties.

By unlocking the bootloader, users can customize the Android OS or download applications that don’t work on stock Android devices, for example, Rosenberg said. The Motorola phones he tinkered with are locked down and refuse to boot any operating system that is not signed by the carrier or Motorola. He looked at consumer versions of the devices; there are developer devices on the market that can be unlocked and deliberately void the warranty. Rosenberg said these devices haven’t taken off with users because the carriers refuse to subsidize developer devices.

Rosenberg said that he has not reported the issue to Motorola because it does not put users at risk. “I’ve had very positive reaction; people seem to enjoy this type of research,” he said. “It’s going to be a hot topic going forward, especially as more begin to implement electronic payment apps.”

Suggested articles


  • ignoguisy on

    A tooth (plural teeth) is a small, calcified, whitish build initiate in the jaws (or mouths) of innumerable vertebrates and occupied to break down food. Some animals, particularly carnivores, also use teeth in behalf of hunting or in place of defensive purposes. The roots of teeth are covered by means of gums. Teeth are not made of bone, but to a certain extent of multiple tissues of varying density and hardness. The ordinary structure of teeth is alike resemble across the vertebrates, although there is respectable converting in their fabric and position. The teeth of mammals drink profound roots, and this figure is also found in some fish, and in crocodilians. In most teleost fish, how, the teeth are spoken for to the outer surface of the bone, while in lizards they are fastened to the inner surface of the jaw by a man side. In cartilaginous fish, such as sharks, the teeth are unavailable beside cold ligaments to the hoops of cartilage that construct the jaw.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.