富士康在 Android 設備韌體中開方便之門
- 發布單位:TWCERT/CC
- 更新日期:2019-03-22
- 點閱次數:686
1. 美國資安專家發現,部分內含來自富士康韌體的 Android 設備藏有為求工程便利卻可能遭利用的漏洞。 2. 該韌體在作業系統的 bootloader 中留下可繞過驗證程序的偵錯功能而成為後門,只要透過USB即可掌握整個系統。 3. 會出現這樣的情況主因是各 OEM 商允許富士康製作與供應自己的電子料件並整合在 Android 設備中。 4. 在以 USB 連接後,即可在啟動階段透過特製的程式進入工程側錯模式成為 root 來操控 Android 設備,而主要用以防護 Android 的
Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the OS bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone.
Foxconn is a Taiwanese company that assembles the electronic parts of several Android smartphone manufacturers (OEMs).
The reason this backdoor exists in the bootloader, the piece of code responsible for booting up the Android OS, is because various OEMs allow Foxconn to create and supply firmware for some of the electronics they use to glue all the parts of an Android device together.
Foxconn debugging feature acts as a backdoor
Jon Sawyer, a US security expert, discovered at the end of August that this firmware included support for booting up Android devices without having to go through the proper authentication procedure.
The researcher says that someone with physical access to the device, could connect it via USB to a computer, and use specific software to interact with the device during its boot-up procedure.
This kind of software is most likely a Foxconn debugger, but Sawyer was able to craft his own client and run the commands to enter this "factory test mode."
This test mode (aka backdoor) can be accessed via Fastboot, a protocol for handling boot-up commands. Sawyer says that the boot-up command to access the backdoor is "reboot-ftm," and can only be sent to the device using custom software, and not through Android or OEM-specific Fastboot interfaces.
"While it is obviously a debugging feature, it is a backdoor," Sawyer says, "it isn’t something we should see in modern devices, and it is a sign of great neglect on Foxconn’s part."
Backdoor accessible via USB, disables SELinux
But it gets even worse. When entering this factory test mode, Sawyer says the user is "root," with total control over the phone, and that SELinux, a major Android security component, is completely disabled.
"In short, this is a full compromise over usb, which requires no logon access to the device," Sawyer says. "This vulnerability completely bypasses authentication and authorization controls on the device. It is a prime target for forensic data extraction."
"Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer adds.
Unknown number of devices affected
This backdoor, which he (weirdly) named Pork Explosion, affects a large number of devices. Unfortunately, there isn't a list of affected OEMs and smartphone models at the time of writing.
Sawyer has provided the following information on how to detect Android devices affected by Pork Explosion.
“ For those looking to detect vulnerable devices, you can check for the partitions “ftmboot” and “ftmdata”. The “ftmboot” partition contacts a traditional Android kernel/ramdisk image. This one has SELinux disabled, and adb running as root. The “ftmdata” partition is mounted on /data during ftm bootmode. These partitions are only a sign that the device is vulnerable. ”
參考連結: http://news.softpedia.com/news/backdoor-discovered-in-some-foxconn-made-android-smartphones-509271.shtml http://bbqand0days.com/Pork-Explosion-Unleashed/