alphaspirit - Fotolia

Six new vulnerabilities in Android bootloaders uncovered

News roundup: Researchers used the new BootStomp tool to uncover six vulnerabilities in Android bootloaders. Plus, a new wave of AWS S3 bucket data leaks strikes and more.

Researchers found six previously unknown vulnerabilities in Android bootloaders from some widely used manufacturers.

A team of nine computer scientists presented their findings at the USENIX conference in Vancouver, B.C., as well as the tool they developed to uncover these vulnerabilities. The tool is called BootStomp and is designed to search for vulnerable bootloaders.

"The goal of BootStomp is to automatically identify security vulnerabilities that are related to the [mis]use of attacker-controlled nonvolatile memory, trusted by the bootloader's code," the team explained in their paper, "BootStomp: On the Security of Bootloaders in Mobile Devices."

"In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute[s] a security threat."

Bootloaders, they said, "help ensure the Chain of Trust (CoT)," which monitors the integrity of each stage of the boot process. Bootloaders are supposed to remain untouched even when attackers have control over the device's OS and should protect the CoT.

With BootStomp, the experts found six new flaws and one already-known flaw in Android bootloaders from four different vendors. Of the six new flaws, five have been acknowledged and confirmed by the vendors. The five confirmed Android bootloaders are for the Huawei/HiSilicon chipset, the Nvidia Tegra chipset, the MediaTek chipset, Qualcomm's new LK bootloader and Qualcomm's old LK bootloader.

The already-known vulnerability, CVE-2014-9798, was on the old Qualcomm LK bootloader and helped the team confirm that BootStomp was working properly.

"Some of these vulnerabilities would allow an adversary with root privileges on the Android OS to execute arbitrary code as part of the bootloader," wrote the research team. "This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking). Our tool also identified two bootloaders that can be unlocked by an attacker with root privileges on the OS."

The researchers also offered some possible mitigation techniques in their paper for the vulnerable Android bootloaders, noting that some features already present in the hardware can be used to prevent an attacker from exploiting these vulnerabilities.

In other news:

  • Around 26,000 MongoDB databases were hacked and wiped over the weekend in a new round of ransomware attacks. Three groups of hackers are reportedly behind the attacks and have demanded 0.15 bitcoin -- roughly $650 -- from each victim. These attacks are being tracked by security researchers Victor Gevers and Niall Merrigan who discovered the first wave of attacks on MongoDB back in January 2017. The latest victims have received the same basic message that said, "We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 [bitcoin] and text me to email just send your IP-address and payment info. Messages without payment info will be ignored." The group sending this message has targeted over 22,000 MongoDB instances with this ransomware, while another group -- asking for only 0.05 bitcoin -- has wiped around 3,500 databases.
  • A group of Chinese researchers have developed inaudible voice control on devices that use speech recognition apps, like Apple's Siri or Google Now. While methods to take over these devices and turn them into voice-controllable systems using hidden voice commands are already available, they are audible and not as stealthy. The team of six researchers from Zhejiang University in China have created a "completely inaudible" attack method called DolphinAttack that "modulates voice commands on ultrasonic carriers," making the voice control impossible for humans to hear. "By leveraging the nonlinearity of the microphone circuits, the modulated low-frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems," the researchers wrote in their paper, "DolphinAttack: Inaudible Voice Commands," which they are due to present at the ACM Conference on Computer and Communications Security in October in Dallas. The team validated and tested DolphinAttack on speech recognition systems including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Microsoft's Cortana and Alexa. With DolphinAttack, the researchers were able to command smartphones to dial certain numbers, visit a specific website -- which could be malicious -- dim the screen brightness, lower the volume or put the phone in airplane mode.
  • Two more major data leaks caused by misconfigured AWS Simple Storage Service (S3) buckets have joined the growing list of recent incidents. Time Warner Cable, which used a third-party global communication software and service provider called BroadSoft, and a military contractor called TigerSwan, which used the third-party recruiting company TalentPen, are the latest victims. Time Warner Cable exposed 600 GB of files on two cloud repositories to the public. BroadSoft owned the exposed repositories, which contained SQL database dumps, code, access logs, customer billing addresses and phone numbers belonging to Time Warner Cable clients. In just one file, the records of more than 4 million clients were stored and exposed. The TigerSwan data leak exposed thousands of resumes and job applications -- most containing sensitive personal information -- of U.S. veterans and law enforcement officers. The data of government contractors was also exposed in the leak. Information like home addresses, phone numbers, work history and email addresses, as well as some security clearances, driver's license numbers, passport numbers and partial Social Security numbers, were exposed to the public. These companies join the likes of Booz Allen Hamilton and the Republican National Committee, which also exposed data to the public because of a misconfigured AWS S3 bucket.

Next Steps

Learn how Pork Explosion can create Android backdoors

Find out how the Dirty COW vulnerability can be used to attack Android devices

Examine the official iOS and Android security reports

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing