A group of nine researchers from the University of California Santa Barbara researchers have discovered a number of code execution and denial of service zero day flaws in the bootloaders of Android chipsets from six vendors.
The analyzed the interaction between the Android OS and chip using a custom tool dubbed “BootStomp.” that automatically detects security vulnerabilities in bootloaders.
Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis.
Therefore, the researchers created BootStomp, which “uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”
The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, and NVIDIA, which could be exploited by attackers to unlock device bootloader, install custom malicious ROM and persistent rootkits.
Five of the vulnerabilities have already been confirmed by their respective by the chipset vendors. Researchers also found a known bug (CVE-2014-9798) in Qualcomm’s bootloaders, which was previously reported in 2014, but still present and usable.
Some of the discovered flaws even allow an attacker with root privileges on the Android operating system to execute malicious code as part of the bootloader or to perform permanent denial-of-service attacks.
According to the researchers, the vulnerabilities impact the ARM’s “Trusted Boot” or Android’s “Verified Boot” mechanisms that chip-set vendors have implemented to establish a Chain of Trust (CoT), which verifies the integrity of each component the system loads while booting the device.
The researchers tested five different bootloader implementations in Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus 9 (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) and two versions of the LK-based bootloader, developed by Qualcomm.
The researcher discovered five critical vulnerabilities in the Huawei Android bootloader:
- An arbitrary memory write or denial of service (DoS) issue when parsing Linux Kernel’s DeviceTree (DTB) stored in the boot partition.
- A heap buffer overflow issue when reading the root-writable oem_info partition.
- A root user’s ability to write the nve and oem_info partitions, from which configuration data and memory access permissions governing the smartphone’s peripherals can be read.
- A memory corruption issue that could allow an attacker to install a persistent rootkit.
- An arbitrary memory write bug that lets an attacker run arbitrary code as the bootloader itself.
The vulnerabilities discovered by the researchers rely on the attacker’s ability to write in the non-volatile memory which is accessed by the bootloader, for this reason, researchers propose a series of mitigation strategies to both limits the attack surface of the bootloader and enforce various desirable properties aimed at safeguarding the security and privacy of users. The measures include the use of hardware features already implemented in most modern devices that don’t allow the writing on specific partitions of the memory.partition of the memory.