Mobile Bootloaders From Major Hardware OEMs Reportedly Overrun With Security Holes

There is a good chance that your Android device is insecure from the get-go. In examining smartphone bootloader firmware, security researchers from the University of California, Santa Barbara found vulnerabilities in bootloader components from five major chipset vendors. In each case, these flaws break what is called the CoT (Chain of Trust) during the boot-up process, ultimately leaving devices susceptible to attack.

The researchers built a tool called BootStomp to automatically sniff out security vulnerabilities that are related the misuse of compromised non-volatile memory, trusted by the bootloader's code. In using BootStomp to look over previously obscure bootloader code and then examining its findings, researchers found a total of seven security flaws, six of them new and one that was previously discovered. Of the half a dozen newly found flaws, bootloader vendors have acknowledged and confirmed five of them.

Sony Xperia XA
Image Source: Flickr via (Kārlis Dambrāns)

"Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks," the researchers warn. "Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT."

The five bootloaders were from devices using three different chipset families. They include:
Researchers also looked at new and old Qualcomm bootloaders. After the BootStomp tool successfully identified a bug in Qualcomm's old LK bootloader, which the team already knew existed, they knew the tool was working as intended.

The researchers concluded in a related paper (PDF) that current standards and guidelines are not sufficient to guide developers toward creating security solutions.

 Thumbnail Image Source: Flickr (brownpau)

Tags:  security, Bootloader
Show comments blog comments powered by Disqus