Exploitable security vulnerabilities have been discovered in chipsets used by Huawei, Qualcomm, MediaTek, and Nvidia. Used by popular Android devices sold by Sony, Google and Huawei, the vulnerabilities are tied to the phone's bootloader firmware according to University of California at Santa Barbara computer scientists.
Multiple vulnerabilities reported in popular Android bootloaders
Security researchers have reported (PDF) at least six vulnerabilities in mobile bootloaders, five of which are zero day flaws. "We evaluated bootloaders from four major device manufacturers, and discovered six previously unknown memory corruption or denial of service vulnerabilities, as well as two unlock-bypass vulnerabilities," the team wrote.
The vulnerabilities could be used to compromise a phone's bootloader system, brick the device, perform denial of service (DoS) attacks, and execute arbitrary code. The Santa Barbara team discovered these flaws using a BOOTSTOMP tool, which uses static analysis and dynamic symbolic execution to locate problem areas in mobile firmware.
"An attacker has to have root capabilities over a phone to exploit one of these six vulnerabilities," Nilo Redini, one of the nine computer scientists who coauthored the report, wrote. "One might say, 'Well if they have root access, that’s already game over. Why even bother?'"
However, Redini added that "if one can compromise a bootloader, they could achieve more than root capabilities and, for example, interfere with ARM’s TrustZone."
TrustZone is a SoC (System on Chip) that is widely used on Android phones and is considered a secure chip running out of the main OS and processor, handling secure processes like device encryption.
Affected bootloaders - Huawei's is the most severe
Over 60 percent of latest mobile devices use Qualcomm chipsets. These include high-end devices like Google Pixel. MediaTek is also a major chip maker with its processors found in Sony's handsets, among others. The researchers wrote that they examined five different bootloaders during this research. These include:
- Huawei P8 ALE-L23 (Huawei / HiSilicon chipset)
- Sony Xperia XA (MediaTek chipset)
- Nexus 9 (NVIDIA Tegra chipset)
- Two versions of Qualcomm's LK-based bootloader
Researchers focused on Huawei due to the architecture of its bootloader, calling its flaws the most severe, as it allowed attackers to break the Chain of Trust. "This vulnerability would not only allow one to break the chain of trust, but it would also constitute a means to establish persistence within the device that is not easily detectable by the user, or available to any other kind of attack," the report said.
Huawei has confirmed all the reported five vulnerabilities in its bootloader, while NVIDIA is working with the security researchers on a fix. It is unclear at the moment if any of the patches were delivered to the handsets as part of Google’s latest Android Security Bulletin.