Full compromise over USB bacon-ed in to smartmobes
Security researcher John Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand.
The backdoor is the result if a debugging function left over in Foxconn apps bootloader code which can be exploited by attackers wielding appropriate software.
Sawyer badges the vulnerability a result of “great neglect” by Foxconn.
Those attackers will have complete control over the devices having bypassed SELinux Android security controls, and gained access without the need of authentication.
The vulnerability, dubbed “Pork Explosion” (a salvo to over-hyped flaws bearing names, websites, and logos), is most useful to forensics boffins wanting to pull data from the unspecified list of affected handsets in which the low level Foxconn code exists.
It is of no use to the typical remote app VXer.
Sawyer says while InFocus’s M810 and Nextbit’s Robin phones are affected, with the latter since patched, many devices likely contain the backdoor code.
“‘Pork Explosion’ allows an attack with physical access to a device to gain a root shell, with SELinux disabled through USB,” Sawyer says
“Phone vendors were unaware this backdoor has been placed into their products,” Sawyer says.
“Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data.
“In short, this is a full compromise over USB, which requires no logon access to the device.”
Swayer says he attempted to notify Foxconn’s Android and product security teams of the holes in August.
Nexbit patched the flaws in a little over two months.
He says it is a complete authentication and authorisation bypass that “isn’t something we should see in modern devices”.
Attackers can exploit the hole on phones using fastboot and bootloader, or through ADP on a computer. ®