University of California Santa Barbara researchers have turned up bootloader vulnerabilities across a bunch of Android chipsets from six vendors.
The team of nine researchers decided to look at a little-studied aspect Android architecture – the interaction between OS and chip at power-up. To get inside that operation, they built a tool dubbed “BootStomp” “designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features”.
The tool turned up exploitable bugs in Huawei, Qualcomm, MediaTek, and NVIDIA bootloaders: six new bugs, plus CVE-2014-9798 which was already known but, it turned out, was still present in Qualcomm devices (since it was a known bug, 9798 also provided a handy reference to confirm that BootStomp was working as intended).
At the bottom of the problem: the bootloader’s chain of trust would ideally be the same for any chipset, but it’s not – Google’s left room for customisation to make life simpler for silicon vendors.
Submitted by: Arnfried Walbrecht