Slashdot Mirror
Android Devices That Contain Foxconn Firmware May Have a Secret Backdoor (softpedia.com)
An anonymous reader writes from a report via Softpedia: Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. By sending the "reboot-ftm" command to Android devices that contain Foxconn firmware, an attacker would authenticate via USB, and boot the device, running as root with SELinux disabled. There isn't a list of affected devices available yet, but Jon Sawyer, the researchers that discovered this hidden command, provides instructions on how to detect if a phone is affected. "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer says.
I'd be shocked if they only had one.
Anybody who thinks they have any security or privacy what-so-ever on there phone is kidding themselves. Cellular phones are designed in such a way to enable tracking for the purpose of providing service. You can't avoid it, and at best we might be able to design a communication device (which has never been done) that reduces the resolution at which tracking can or need occur. The solution to the security (as opposed to tracking) problems is to release the complete set of source code. That won't make devices secure in and of itself, but it is an essential first step. The next would be reducing the code base such that the code could be properly cleaned up, audited and analysed for vulnerabilities, and hopefully fixed. These phones are also designed such that the modems have complete control over the entirety of the device or near-so. Once that is true (which it is for all or near all phones) you can't secure it. It's just not possible. The modem most be separate and not have access to memory/mic/etc or at least without the core OS giving it permission. The modem firmwares can and are remotely updated and have been used to remotely record and bug users. Cell phones are extremely dangerous devices.
So how many programmers have put in ostensible 'back doors' or let us say 'faults' so they can sell those "mistakes" to hackers for big $s.
Come on now, don't tell me the programmers in China and Taiwan are STUPID.
Oblig xkcd.
Also, it turns out "Randall Munroe" is just the name the Matrix gave to its future-predicting algorithm.
Nothing posted to
Considering the ROM in question is fixed in the fabs at TSMC or Samsung, it would be really hard to add another key. In addition, that would require the hardware have support for multiple signing keys.
Even if the keys were programmed after the fact, the ROM code would generally just assume the next stage loader code must be signed with a key in a specific location in OTP. And in general, only one key is valid - the boot ROM has only so much space and having to check additional keys takes up additional logic that may or may not be available.
So Foxconn would need to compromise two facilities, one in Texas (Samsung), one in Taiwan, change the masks ($100K each) that contain the boot ROM code and keys, then load on their compromised firmware.
Oh yeah, and they need to hack Apple so Apple's firmware distributes the modified binaries as well. Apple's ROM code is so sophisticated it can reload the firmware from scratch which would wipe out any of the Foxconn changes. (DFU recovery mode reloads the entire OS).