Much of our Android security coverage focuses on malicious apps Sophos researchers find in Google Play and elsewhere. But the latest threat comes from a different direction: bootloader vulnerabilities that bad actors could exploit to gain root access to phones and use to launch attack code.
Nine computer scientists from the University of California at Santa Barbara made the discovery while analyzing the interaction between the Android operating system and phone bootloading chips at power-up. Ultimately, they wrote in a paper:
Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks. Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT.
What that means, warns SophosLabs, is that
… at least some of the vulnerabilities work even if the bootloader is not unlocked. In fact, one of the case studies shows a vulnerability where the malicious code can unlock the bootloader, allowing it to load any unsigned firmware.
The danger exposed
The tool they built for this research is called BootStomp, which uncovered exploitable flaws in chips from Huawei, Qualcomm, MediaTek and NVIDIA. Six flaws were new, while another had previously been identified and outlined in Common Vulnerabilities and Exposures bulletin CVE-2014-9798.
The researchers focused on five different bootloaders from four different vendors:
- Huawei / HiSilicon chipset [Huawei P8 ALE-L23]
- NVIDIA Tegra chipset [Nexus 9]
- MediaTek chipset [Sony Xperia XA]
- Qualcomm’s new LK bootloader
- Qualcomm’s old LK bootloader
They already knew about the CVE-2014-9798 bug, and when BootStomp re-identified it, they knew their tool would work. The researchers then branched out and uncovered one security hole in the NVIDIA chipset and five in HiSilicon’s bootloaders.
The vulnerabilities compromise the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking), the researchers wrote.
The researchers noted that if the bootloaders’ chain of trust were the same for any chipset, the vulnerabilities might not have appeared. But they are not the same. To make it easier for silicon vendors, Google left plenty of wiggle room for customization.
Mass infections unlikely
Since most of the flaws are newly discovered, it could be a while before the vendors patch them. Fortunately, according to Sophos researchers who analyzed the report, a fair amount of effort is required to exploit these attack vectors. SophosLabs Android researcher Jagadeesh Chandraiah put it this way:
From a Sophos customer’s perspective, malware could be written using this knowledge but to penetrate devices they need a lot of effort and also, since this is at the bootloader level, malware authors also need more expertise to write successful malware as nothing exists on the internet at the moment.
When the exploit goes public, Chandraiah said we might see them used in targeted attacks. But, he added:
For now, mass infections are unlikely from what I can see. Customers should not be too worried. If they are not tech-savvy, they should avoid trying to unlock and root the bootloader and follow the usual best practices.
The continued presence of malicious and compromised Android apps and processes demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android. By blocking the install of malware from the outset, you can spare yourself lots of trouble.
