Android Security: Major Chipset Vendors’ Code found to have Multiple Bootloader Bugs

Smartphone bootloader firmware should be secured even if the operating system is compromised. But researchers have discovered five flaws in major chipset vendors’ code that make the process out on a limb.

A group of researchers from the University of Carolina, Santa Barbara, built a tool called BootStomp which automatically detects security flaws in bootloaders that load the OS kernel when the device is on.

After analyzing code from four large chipset makers such as Qualcomm, MediaTek, Nvidia, and Huawei, two bootloaders found to have six zero-day flaws. They also rediscovered a known flaw in a Qualcomm bootloader using boot stomp. The vendors confirmed five out of the six new-found flaws.

According to them, bootloaders are hard to analyze with software partly because they are closed source, hardware specific, and hard to reverse-engineer. The creation of BootStomp aims to overcome the said difficulties.

“The goal of the BootStomp is to automatically identify security vulnerabilities that are related to the misuse of attacker-controlled non-volatile memory, trusted by the bootloader’s code,” the researchers explained.

“In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitutes a security threat.”

Securing the integrity of bootloaders is crucial to Google’s Verified Boot and ARM’s Trusted Boot. Bootloaders test each other’s integrity to create ‘chain of trust’. The device should be unstable if the bootloader components, a kernel, or the file system image is tampered.

This sequence should be a definite process that prevents a compromise even if the Android OS itself has been hacked. But still, the vendors are given the options to implement different bootloaders to suit their products.

By using BootStomp, 36 potentially dangerous paths are found during bootloading sequences by the researchers and they confirmed that one-third of those were vulnerabilities.

“Some of these vulnerabilities would allow an adversary with root privileges on the Android OS to execute arbitrary code as part of the bootloader. This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks like device bricking.”

“Our tool also identified two bootloaders that can be unlocked by an attacker with root privileges on the OS.”

The five bootloaders were from devices which use different chipset families. These include Huawei P8 ALE-L23 with the Huawei/HiSilicon chipset, a Sony Xperia XA with a MediaTek chipset, and Nexus 9 with Nvidia’s Tegra chipset. They also examined an old and new version of Qualcomm’s bootloader.

The identified bug CVE-2014-9798 is a denial of service which affects an old version of Qualcomm’s bootloader. Of the new bugs identified, one is affecting Nvidia’s bootloader, and five are affecting Huawei Android bootloader.

According to the researchers, the Huawei’s bootloader design makes the bug “quite severe” because they let an attacker break the chain of trust, and gain persistence in the device which is hard to be detected by the user.

The paper made by the researchers was first presented in Vancouver Canada at the UNESIX conference by Bleeping Computer.