Android security: Multiple bootloader bugs found in major chipset vendors' code - ZDNet

Android security: Multiple bootloader bugs found in major chipset vendors' code - ZDNet

Android security: Multiple bootloader bugs found in major chipset vendors' code - ZDNet

Posted: 04 Sep 2017 12:00 AM PDT

huawei-p8-lite-9836.jpg

The researchers have found flaws in bootloaders from a number of makers but note that the design of Huawei's bootloader makes its bugs "quite severe".

Image: James Martin/CNET

Smartphone bootloader firmware should be secure even if the operating system is compromised. But researchers have found five flaws in major chipset vendors' code that leave the process vulnerable.

The vulnerabilities have been found by a group of researchers from the University of California, Santa Barbara, who've built a tool called BootStomp to automatically detect security flaws in bootloaders, which load the OS kernel when devices are turned on.

The tool identified six zero-day flaws in two bootloaders after analyzing code from four large chipset makers, including Qualcomm, MediaTek, Nvidia, and Huawei. They also rediscovered a known flaw in a Qualcomm bootloader using the tool. Five of the six new-found flaws have been confirmed by the vendors.

As they note, bootloaders are difficult to analyze with software partly because they're closed source, hardware specific, and hard to reverse-engineer. BootStomp has been built to overcome those difficulties.

"The goal of BootStomp is to automatically identify security vulnerabilities that are related to the (mis)use of attacker-controlled non-volatile memory, trusted by the bootloader's code," the researchers explain.

"In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitutes a security threat."

Ensuring the integrity of bootloaders is critical to Google's Verified Boot and ARM's Trusted Boot, where bootloaders verify the integrity of each other to create a so-called 'chain of trust'. If someone tampers with bootloader components, a kernel or the file system image, the device should be unusable.

As the researchers note, this sequence should be a rigid process that prevents a compromise even if the Android OS itself has been hacked. However, hardware vendors are given the flexibility to implement bootloaders differently to suit their products.

Using BootStomp, the researchers have found 36 potentially dangerous paths during bootloading sequences, of which over a third were vulnerabilities.

"Some of these vulnerabilities would allow an adversary with root privileges on the Android OS to execute arbitrary code as part of the bootloader. This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks -- ie, device bricking.

"Our tool also identified two bootloaders that can be unlocked by an attacker with root privileges on the OS."

For the paper, the researchers assumed the attacker can control any content of non-volatile storage on a device, which could happen if an attacker has gained root on it.

The five bootloaders were from devices using three different chipset families, including Huawei P8 ALE-L23 with the Huawei/HiSilicon chipset, a Sony Xperia XA with a MediaTek chipset, and Nexus 9 with Nvidia's Tegra chipset. They also looked at a new and old version of Qualcomm's bootloader.

The known bug, CVE-2014-9798, is a denial of service affecting an old version of Qualcomm's bootloader. The new bugs included one in Nvidia's bootloader, and five affecting the Huawei Android bootloader.

The researchers note that the design of Huawei's bootloader makes the bugs "quite severe" because they would allow an attacker to break the chain of trust, and gain persistence in the device that would be difficult to detect by a user.

The paper was first reported by Bleeping Computer based on a recent presentation at the USENIX conference in Vancouver, Canada.

bootstompfig2.jpg

The researchers have set out the alerts raised and bugs found by BootStomp's taint analysis, with time in minutes and seconds and memory in MB.

Image: University of California, Santa Barbara/USENIX

Previous and related coverage

Google issues anniversary Android patch - and Qualcomm bugs dominate

Google's 13th monthly Android patch puts a spotlight on all the bugs outside the core operating system.

Android lockscreen bypass: Google patches flaw on Nexus 5X phones

Google has fixed a bug affecting the Nexus 5X that allowed an attacker to extract information from a device, even if it was locked.

More on security

Journal raises $1.5 million to bring Google-like search to your personal life - TechCrunch

Posted: 16 Oct 2018 06:11 AM PDT

In today's world of Slack, email and a gazillion other web apps and services, it's become increasingly hard to search for information. Did your boss Slack you or email you that information about your bonus? Or did they share it via a Google Doc? Who knows? Clearly not you, but Journal knows.

Journal, a machine learning and natural language processing-powered platform designed to search across all your web services and tools, today announced a $1.5 million seed round led by Social Capital. Since receiving the funding about a year ago, Journal has been able to launch a beta community of users. Today, Journal is publicly launching its Mac app, web app and Chrome extension.

"We're passionate about helping people use information effectively," Journal co-founder and CEO Samiur Rahman told TechCrunch. "In this case, we want to help people manage their knowledge. So we want to help individuals to leverage all of the places that they have information right now."

It was that thesis that led Rahman and his team to land on wanting to build a suite of tools that "acts as a second brain for people. That's obviously a long way away but that's what our long-term vision is."

Based on the demo Rahman showed me, Journal looks pretty darn useful. I had an opportunity to install it, but I was hesitant to do so. That's because Journal requires viewing permissions to your email, apps and other services with which you sync Journal.

That's scary for a couple of reasons — the main one being privacy. For example, what happens if Journal gets hacked? Or if the government requests data from Journal?

Well, Journal uses zero-knowledge encryption that ensures Journal employees can't read or decrypt the information of the user. Here's a bit more information on how Journal handles security:

Journal asks for view permission to the apps a user integrates so that we can enable search across their apps.

To keep users' information safe, all data in Journal is encrypted both in transit and at rest.

Data such as the contents of files, emails, messages, etc. are encrypted using the Fernet symmetric encryption method, which uses AES-128 in CBC mode + HMAC-SHA-256 with a random IV. This means that the data can't be decrypted without the secret key. Our file systems where the conceptual index is stored is encrypted using Amazon KMS, which uses AES-256 in GCM mode.

The secret key is a combination of a hash from the OAuth access key for the account you've integrated and a Journal secret key. If our database gets hacked somehow, the hacker would need to also be able to get access to our separate authentication store and our secret key to decrypt your information.

I'm not a security expert, so I asked my colleague, TC Security Editor Zack Whittaker, for some insight. He told me Rahman's explanation makes sense, further explaining that what Journal does is essentially split the private keys needed to access your data. Whittaker said that's smart, but that he's more concerned about general trust.

Journal has access to a treasure trove of data — much of which would be very valuable to advertisers. Right now, advertising is not part of Journal's revenue plans, but that could change.

"I can't say for certainty that we won't, but I think ad-based revenue ends up creating some really bad incentives, especially when you've got all this really private data about people and their usage patterns. The very likely route is that we end up going through companies that pay for teams to use."

As with most tech products these days, it comes down to how much do you trust the company and how much do you care about your data?

And depending on who you are, you may have a stronger threat model — that is, what threats you face based on who you are. Black communities, for example, are at a greater risk of surveillance by the government than white communities. So you adjust your behavior based on your personal threats.

Privacy concerns aside, Journal looks like a really useful product. But we'll see if I get around to setting it up.
-

Comments

Post a Comment

Popular Posts

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

Image
Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian Posted: 13 Oct 2019 06:58 AM PDT Anne Sacoolas, the wife of a US intelligence official who was involved in the road collision that killed 19-year-old Harry Dunn, has agreed to meet with his grieving parents and cooperate with a British police inquiry. But amid continuing questions over her right to diplomatic immunity, it is not clear if she will return to the UK to fulfil a promise to answer police questions about her role in the car crash. The reversal of position on a meeting appears to have come after lawyers specialising in diplomatic immunity started to advise Dunn's parents last week, leading them to say they would pursue Sacoolas in the US courts for a civil claim. Mark Stephens, one of the legal specialists advising the parents, told the Guar...
Read more

Top 100 cool tech gadgets you can't miss - Queensland Times

Image
Top 100 cool tech gadgets you can't miss - Queensland Times Top 100 cool tech gadgets you can't miss - Queensland Times Posted: 21 Nov 2020 08:22 PM PST From 5G smartphones and next-gen consoles to gadgets designed to listen to your heart, straighten your hair, light up in your hand, capture your memories and keep you connected, technology is playing a bigger role in our lives than ever this year. Analysts say the trend is likely to continue under the Christmas tree with a bumper list of shiny new devices launched mere weeks before the big day, and some so popular they are selling out in record time (good luck, PlayStation 5 buyers). To take the pain out of finding the best devices for your friends, family and yourself, we've rounded up the top 100 tech gifts to add to your cart in 2020, ranging from what you'll need in 2021 to gadgets that will just make life a bit more entertaining. SMARTPHONES SAMSUNG GALAX...
Read more

A Look At Blockchain Smartphones Available Now - I4U News

Image
A Look At Blockchain Smartphones Available Now - I4U News A Look At Blockchain Smartphones Available Now - I4U News Posted: 09 Oct 2019 06:19 AM PDT There is probably no one in the world who has not heard of cryptocurrencies. In the past few years, the general public's awareness of the likes of Bitcoin and Ethereum has skyrocketed. This has happened to such a degree that there are literally millions of us using Bitcoin wallets offered by Luno and other well established names in the industry. On the other hand, blockchain is not necessarily that well known and its capabilities maybe a little less. So although we know that blockchain is the basis of cryptocurrencies, many of us know little more than that. Anyways, this technology is extremely adaptable and is being applied to many industries/sectors from health to disaster recovery. So that it will come as no surprise that blockchain is shifting its attention to mobile. This has resul...
Read more