Slashdot Mirror
Vulnerabilities Discovered In Mobile Bootloaders of Major Vendors (bleepingcomputer.com)
An anonymous reader writes: Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon). Using BootStomp, researchers identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged five and are working on a fix. "Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said (PDF). "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."
Am I the only one that thinks that this information should have been released to the people making rootkits, and not the vendors?
Time has shown that the vendors cannot be trusted and are far more evil than the people allowing people root access on their own machines. Bloatware, regressions through updates (often forced or nagged into acceptance), pushing their own branded crapware, removing options from the user, *preventing* the user from making the machine work the way they want it to, and so forth. You want to *not* have the screen turn on automatically when it starts charging? Sorry, you don't have permissions to do that on your own machine. They're evil. They should get the second look at these vulnerabilities after everyone who wants to root their devices has done so.
Never thought I'd be a switcher.
"damn it"
We get to root our phones.
This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
Some of those vulnerabilities only work if the owner has rooted their own device. Which proves that Hillary Clinton would have been a better president than Trump. I still can't believe we replaced Barack and Michael Obama with Donald Trump.
I have a lot of older devices that I want this for.
Furthermore it just proves the NSA/FBI/your local spooks and kooks, probably have had this shit for years, or had agents ensure the same field of exploits were inserted into each company's bootloaders.
This is why they want keys THEY control in place, and why they don't want end users able to program the devices in a way that makes it difficult or impossible for them to compromise.
captcha was 'travesty'. Indeed, indeed it is.
I am a public defender in a large southern metropolitan area. Fewer than ten percent of the people in the area I serve are black but over 90 percent of my clients are black. The remaining ten percent are mainly Hispanics but there are a few whites.
I have no explanation for why this is, but crime has racial patterns. Hispanics usually commit two kinds of crime: sexual assault on children and driving under the influence. Blacks commit many violent crimes but very few sex crimes. The handful of whites I see commit all kinds of crimes. In my many years as a public defender I have represented only three Asians, and one was half black.
As a young lawyer, I believed the official story that blacks are law abiding, intelligent, family-oriented people, but are so poor they must turn to crime to survive. Actual black behavior was a shock to me.
The media invariably sugarcoat black behavior. Even the news reports of the very crimes I dealt with in court were slanted. Television news intentionally leaves out unflattering facts about the accused, and sometimes omits names that are obviously black. All this rocked my liberal, tolerant beliefs, but it took me years to set aside my illusions and accept the reality of what I see every day. I have now served thousands of blacks and their families, protecting their rights and defending them in court. What follow are my observations.
Although blacks are only a small percentage of our community, the courthouse is filled with them: the halls and gallery benches are overflowing with black defendants, families, and crime victims. Most whites with business in court arrive quietly, dress appropriately, and keep their heads down. They get in and get outâ"if they canâ"as fast as they can. For blacks, the courthouse is like a carnival. They all seem to know each other: hundreds and hundreds each day, gossiping, laughing loudly, waving, and crowding the halls.
When I am appointed to represent a client I introduce myself and explain that I am his lawyer. I explain the court process and my role in it, and I ask the client some basic questions about himself. At this stage, I can tell with great accuracy how people will react. Hispanics are extremely polite and deferential. An Hispanic will never call me by my first name and will answer my questions directly and with appropriate respect for my position. Whites are similarly respectful.
A black man will never call me Mr. Smith; I am always âoeMike.â It is not unusual for a 19-year-old black to refer to me as âoedog.â A black may mumble complaints about everything I say, and roll his eyes when I politely interrupt so I can continue with my explanation. Also, everything I say to blacks must be at about the third-grade level. If I slip and use adult language, they get angry because they think I am flaunting my superiority.
At the early stages of a case, I explain the process to my clients. I often do not yet have the information in the police reports. Blacks are unable to understand that I do not yet have answers to all of their questions, but that I will by a certain date. They live in the here and the now and are unable to wait for anything. Usually, by the second meeting with the client I have most of the police reports and understand their case.
Unlike people of other races, blacks never see their lawyer as someone who is there to help them. I am a part of the system against which they are waging war. They often explode with anger at me and are quick to blame me for anything that goes wrong in their case.
Black men often try to trip me up and challenge my knowledge of the law or the facts of the case. I appreciate sincere questions about the elements of the offense or the sentencing guidelines, but blacks ask questions to test me. Unfortunately, they are almost always wrong in their reading, or understanding, of the law, and this can cause friction. I may repeatedly explain the law, and provide copies of the statute showing, for example, why my client must serve six ye
Once you break into the boot process you can launch any type of attack and perform any type of action.
From replacing firmware and recovery code to whatever else you can imagine.
Even install a better custom ROM.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
you can see the future of IoT. Tons of phones will never get any security updates. I don't think IoT manufacturers will do better than that. Internet of Things = Internet of Vulnerabilities.
How does one gain access to bootloader code without an ICE? And if you have that access, what difference do security holes make?
Eg., I would used memcpy to move the OS and application from ROM to RAM, then jump to the RAM start address. How would you attack this?
The source of this evil is simple: That "chain of trust" isn't about security, but it's about control. Whether the control buys you security is something else again. But it is clear that the signed boot rigmarole puts the control firmly in the hands of the vendor, and not of the customer. For the customer is a consumer and therefore not to be trusted. See how this works?
Let me spell it out: Because the consumer is not to be trusted he cannot have control, therefore the signing is control over the device in the hands of the vendor and thereby security against the consumer. It's entirely logical. It's also literally the reason all those things talk about "trust": It means the vendor can "trust" you haven't installed your own firmware. It does not mean the firmware is fault-free nor does it mean other actors, like certain state actors well-known for this trick, haven't injected code of their own into the signed code chain.
More like Chain of No Trust! Am I right, guys?!
I have this mental image of a noose around my neck and someone yanking the attached chain. I think they mean that chain of trust? Trusting the chain to keep the user in reign?
It's a chain of treachery. If anything, this is GOOD news. It may allow people to actually own their devices, at least for a while.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
BootStomp's code:
https://github.com/ucsb-seclab...
UCSB's team site:
https://seclab.cs.ucsb.edu/aca...
What do you expect from China phones? Seriously folks, nobody in China has any moral or ethical business practices in that country. Maybe a few still have a commitment but their is a lot of crappy poorly vetted Chinese electronics out there.
Don't ever reboot your phone?
The more unlocked bootloaders, the better.
That said, it'd be better if Google made it possible for custom roms to pass SafetyNet/CTS - instead of having it act as obsolescence enforcement.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
we can finally install Windows on our locked down android phones?
You think the boot process is as follows:
1. Use memcpy to move the OS and application from ROM to RAM
2. Jump to the RAM start address
This is not the case. In fact, the boot process is more similar to the following:
1. Use memcpy to move the OS and application from ROM to RAM
2. Calculate the hash value of the OS and application
3. Decrypt the previously stored hash value of the OS and application using the OS publisher's hardcoded public key
4. If the hash values differ, hang
5. Jump to the RAM start address
The attacks are on steps 2 through 4. The summary mentions a "chain of trust"; this is so-called because the bootloader verifies the kernel in this manner, the kernel the userspace, and the userspace the apps.
3 of the 4 don't come from China. NVIDIA and Qualcomm are US companies and Mediatek is based in Taiwan.
To what extent does Taiwan, Republic of China, have more practical autonomy from the PRC than, say, Hong Kong SAR?
I think they actually mean:
Some of these vulnerabilities would allow a user to execute arbitrary code as part of the bootloader (thus allowing users to have some control over their devices), or to perform installations of custom Android versions with better security than the one that the vendor still hasn't updated after 4 years," the research team said (PDF)
This was the most useful information that most people were looking for after skimming this article :)