Multiple Vulnerabilities Found in NVIDIA, Qualcomm, Huawei Bootloaders

Six exploitable flaws in chipsets used by Huawei, Qualcomm, MediaTek and NVIDIA were found in popular Android handsets, according to a report by University of California at Santa Barbara computer scientists. Each of the flaws exist in phones sold by Huawei, Sony and Google, and are tied to each of the phones’ bootloader firmware.

The vulnerabilities allow an adversary with an existing foothold on phones to break the Chain of Trust during the boot-up sequence. The so-called Chain of Trust is part of Google’s Verified Boot process that validates device integrity and component authenticity during the boot-up sequence.

“An attacker has to have root capabilities over a phone to exploit one of these six vulnerabilities,” said Nilo Redini, one of the nine computer scientists who coauthored the report (PDF).  “One might say, ‘Well if they have root access, that’s already game over. Why even bother?’”

Redini explained to Threatpost that some bootloaders operate with a privilege higher than necessary. “If one can compromise a bootloader, they could achieve more than root capabilities and, for example, interfere with ARM’s TrustZone,” he said.

TrustZone is a System on Chip (SoC) used widely on Android handsets and is supposed to be a walled-off secure area running outside the main processor and operating system.  It handles highly sensitive processes such as device encryption.

“We evaluated bootloaders from four major device manufacturers, and discovered six previously unknown memory corruption or denial of service vulnerabilities, as well as two unlock-bypass vulnerabilities,” Redini said.

Researchers used a custom-built tool called BootStomp to identify each of the vulnerabilities. Of the six vulnerabilities found using BootStomp, five of them were confirmed by the vendors. A seventh bug was also discovered by researchers, but it was a known denial of service flaw (CVE-2014-9798) affecting an older version of Qualcomm’s bootloader.

Read more…

Source: ThreatPost