A team of nine computer scientists from the University of California, Santa Barbara discovered vulnerabilities in Android bootloader components from five major chipset vendors that break the CoT (Chain of Trust) during the boot-up sequence, opening devices to attacks.
Components of android bootloaders are generally hard to analyze because they are closed-source and tend to lack typical metadata (such as program headers or debugging symbols) that are usually found in normal programs and help reverse engineering and security audits.
But the researchers focused on developing a new tool named BootStomp which was specialised in helping test and analyze bootloaders.
“The goal of BootStomp is to automatically identify security vulnerabilities that are related to the (misuse of attacker-controlled non-volatile memory, trusted by the bootloader’s code. In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute a security threat.”
By using BootStomp, the research team found seven flaws, including six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged and confirmed five.
"Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said. "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."
For their work, researchers considered five different bootloaders from four different vendors.
- Huawei / HiSilicon chipset [Huawei P8 ALE-L23]
- NVIDIA Tegra chipset [Nexus 9]
- MediaTek chipset [Sony Xperia XA]
- Qualcomm's new LK bootloader
- Qualcomm's old LK bootloader
The researchers also found a vulnerability in the NVIDIA chipset, and five in HiSilicon bootloaders.
Components of android bootloaders are generally hard to analyze because they are closed-source and tend to lack typical metadata (such as program headers or debugging symbols) that are usually found in normal programs and help reverse engineering and security audits.
But the researchers focused on developing a new tool named BootStomp which was specialised in helping test and analyze bootloaders.
“The goal of BootStomp is to automatically identify security vulnerabilities that are related to the (misuse of attacker-controlled non-volatile memory, trusted by the bootloader’s code. In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute a security threat.”
By using BootStomp, the research team found seven flaws, including six new and one previously known (CVE-2014-9798). Of the six new flaws, bootloader vendors already acknowledged and confirmed five.
"Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the research team said. "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."
For their work, researchers considered five different bootloaders from four different vendors.
- Huawei / HiSilicon chipset [Huawei P8 ALE-L23]
- NVIDIA Tegra chipset [Nexus 9]
- MediaTek chipset [Sony Xperia XA]
- Qualcomm's new LK bootloader
- Qualcomm's old LK bootloader
The researchers also found a vulnerability in the NVIDIA chipset, and five in HiSilicon bootloaders.