Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Discovered In Mobile Bootloaders of Major Vendors (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Android bootloader components from five major chipset vendors are affected by vulnerabilities that break the CoT (Chain of Trust) during the Android OS boot-up sequence, opening devices to attacks. The vulnerabilities were discovered with a new tool called BootStomp, developed by nine computer scientists from the University of California, Santa Barbara. Researchers analyzed five bootloaders from four vendors (NVIDIA, Qualcomm, MediaTek, and Huawei/HiSilicon). Using BootStomp, researchers identified seven security flaws, six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged five and are working on a fix. "Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said (PDF). "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."

15 of 76 comments (clear)

  1. Free the Bootloaders by ShakaUVM · · Score: 4, Insightful

    Am I the only one that thinks that this information should have been released to the people making rootkits, and not the vendors?

    Time has shown that the vendors cannot be trusted and are far more evil than the people allowing people root access on their own machines. Bloatware, regressions through updates (often forced or nagged into acceptance), pushing their own branded crapware, removing options from the user, *preventing* the user from making the machine work the way they want it to, and so forth. You want to *not* have the screen turn on automatically when it starts charging? Sorry, you don't have permissions to do that on your own machine. They're evil. They should get the second look at these vulnerabilities after everyone who wants to root their devices has done so.

    1. Re:Free the Bootloaders by Anonymous Coward · · Score: 2, Insightful

      > Time has shown that the vendors cannot be trusted and are far more evil than the people allowing people root access on their own machines.

      Yah, but people will stop buying the bad ones, thus bankrupting those evil vendors. The Invisible Hand and Ponies will surely fix that!

      Oh, wait...

      Yes, all a bit tongue-in-cheek, but I think we're seeing a failure of the maxim "market forces for the benefit of all" dogma here.

    2. Re:Free the Bootloaders by Opportunist · · Score: 5, Interesting

      The sad realization is that the "black market" has in general lower and less harmful impact on your security and privacy than the device maker.

      Or, in a more direct way, the chance that a jailbreak tool gives you your privacy back is higher than a rootkit stealing even more of it. What could be stolen that has already been stolen?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Free the Bootloaders by admin7087 · · Score: 3, Insightful

      No, you're not the only one. This so-called "chain of trust" is ridiculous. People are forced to trust binary blobs of various nebulous business entities with a long history of nefarious business practices, bad security, and unnecessary collusion with sometimes shady government entities. That's pretty much the opposite of trustworthiness.

    4. Re:Free the Bootloaders by Opportunist · · Score: 3, Insightful

      The ultimate sad realization is that the person who bought the device isn't the one who gets to decide who to trust. I trust myself by default. But I am not the one who gets to trust. The manufacturer of the device I pay for gets to say who the device that (again) I PAID FOR trusts.

      THAT is what's ultimately wrong here. The fundamental aspect of ownership is to have total control over something. I own my living room table. I can, if I so please, turn it into firewood. Or sell it. I may put a different coat of paint on it or convert it into a workbench. And nobody, not the government or the carpenter that made it has any right to keep me from doing so.

      Why the FUCK is this different as soon as "on a computer" is added to the mix?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Free the Bootloaders by Sloppy · · Score: 3, Insightful

      It's an even sadder realization that the person who bought the device is NOT considered to be trusted by default, and that said person must hack the device they own to get that trust back.

      Never buy any hardware until after you have at least asked who is its master. Whose interests does that computer serve?

      And if the master isn't you, then instead of asking how much you pay for it, ask how much you're being paid to use it.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    6. Re: Free the Bootloaders by brunes69 · · Score: 2

      Do you even know what a bootloader exploit is?

      Someone has to PHYSICALLY have your phone in their hands for 15 - 30 minutes to do anything at all with this.

      There are no real security issues with this at all. The only "security" at play here is the security of the vendor having control over what you can do with your own devices after you pay for it.

  2. AnyvAttack by aglider · · Score: 2

    Once you break into the boot process you can launch any type of attack and perform any type of action.
    From replacing firmware and recovery code to whatever else you can imagine.
    Even install a better custom ROM.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  3. From what manufacturers do to your phones by lwmv · · Score: 5, Insightful

    you can see the future of IoT. Tons of phones will never get any security updates. I don't think IoT manufacturers will do better than that. Internet of Things = Internet of Vulnerabilities.

    1. Re:From what manufacturers do to your phones by Opportunist · · Score: 3, Funny

      The Intelligently Designed Internet Of Things Systems are made for their acronym.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Chain of Trust? by Opportunist · · Score: 2

    I have this mental image of a noose around my neck and someone yanking the attached chain. I think they mean that chain of trust? Trusting the chain to keep the user in reign?

    It's a chain of treachery. If anything, this is GOOD news. It may allow people to actually own their devices, at least for a while.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Chain of Trust? by Opportunist · · Score: 2

      Yes, this MAY allow someone to own your device, but it MAY also allow you to own it.

      Without, you MAY NOT own your own device, but someone else DOES own it with absolute certainty.

      You see the difference, I guess?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. More links by eulernet · · Score: 5, Informative

    BootStomp's code:
    https://github.com/ucsb-seclab...

    UCSB's team site:
    https://seclab.cs.ucsb.edu/aca...

  6. Re:For the next few weeks.... by drinkypoo · · Score: 4, Insightful

    Most devices won't receive any updates even if they are totally compromised, because that's how much of a shit the vendors give about their customers. Only devices getting updates anyway will get locked back down.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:iOS really is more secure. by ArchieBunker · · Score: 2

    I think a jailbroken iPhone is the best of both worlds. Apple has the best hardware but locks it down unreasonably. My aging iPhone 5C (circa 2013) was still getting OS updates until iOS 11 was released. Show me an Android phone getting updates four years later.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard