Android Devices That Contain Foxconn Firmware May Have a Secret Backdoor (softpedia.com) 95
An anonymous reader writes from a report via Softpedia: Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. By sending the "reboot-ftm" command to Android devices that contain Foxconn firmware, an attacker would authenticate via USB, and boot the device, running as root with SELinux disabled. There isn't a list of affected devices available yet, but Jon Sawyer, the researchers that discovered this hidden command, provides instructions on how to detect if a phone is affected. "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer says.
hah! "may" ... yea right. (Score:3, Insightful)
I'd be shocked if they only had one.
Re: (Score:2)
yea right again
"Phone vendors were unaware this backdoor has been placed into their products," Sawyer says."
Re: (Score:2)
Re: (Score:2)
I see this more as corporations looking at slumping sales or sales of the devices that the consumer is still able to root and load other images onto like Cyanogen and that pisses them off.
Better scare everyone into buying new better locked down phones.
Re: (Score:2)
"Phone vendors were unaware this backdoor has been placed into their products," Sawyer says."
The NSA gave us a legal order from a secret court telling us the backdoor is not there.
"reboot-ftm"... that's it? (Score:5, Insightful)
Also, it turns out "Randall Munroe" is just the name the Matrix gave to its future-predicting algorithm.
Yeah (Score:1)
So how about... (Score:5, Interesting)
Foxconn's other devices? The ones with the fruity logo?
Re: (Score:3)
i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.
Re:So how about... (Score:4, Informative)
i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.
Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it. But of course no Chinese company would ever do that to an American company.
Re: So how about... (Score:1)
No they are not dual sourced.
SOME components are dual sourced. CPU, Ram, mmc, displays are all dual and in some cases triple sourced.
BUT regardless of the component origin they ALL get assembled, software installed and signed off by Foxconn.
Come on dude, I'm an iPhone and mac user too and bullshit like that just causes more people to laugh at apple and go elsewhere.
Re: (Score:2)
do you have a cite about getting the software installed at Foxconn? even if it were true, it's not necessarily relevant if Apple uses a sufficiently elaborate signing mechanism, as they seem to do. i'm still kind of curious about this for some reason.
Firmware must be signed by Apple (Score:3)
Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it.
No. Firmware must be signed by Apple. Any substitution or modification (or a bit hit by an alpha particle) won't have a valid signature and the hardware will refuse to run it.
Re: (Score:3)
Oh...
Wait...
Re:Firmware must be signed by Apple (Score:5, Insightful)
Considering the ROM in question is fixed in the fabs at TSMC or Samsung, it would be really hard to add another key. In addition, that would require the hardware have support for multiple signing keys.
Even if the keys were programmed after the fact, the ROM code would generally just assume the next stage loader code must be signed with a key in a specific location in OTP. And in general, only one key is valid - the boot ROM has only so much space and having to check additional keys takes up additional logic that may or may not be available.
So Foxconn would need to compromise two facilities, one in Texas (Samsung), one in Taiwan, change the masks ($100K each) that contain the boot ROM code and keys, then load on their compromised firmware.
Oh yeah, and they need to hack Apple so Apple's firmware distributes the modified binaries as well. Apple's ROM code is so sophisticated it can reload the firmware from scratch which would wipe out any of the Foxconn changes. (DFU recovery mode reloads the entire OS).
Re: (Score:1)
So Foxconn would need to compromise two facilities, one in Texas (Samsung), one in Taiwan, change the masks ($100K each) that contain the boot ROM code and keys, then load on their compromised firmware.
That is a strange way to do it.
If they are intentionally installing backdoors then they would have a government organization behind them so one time costs for masks isn't really an issue.
There is no need to actually infiltrate the factories manufacturing the original ROM since you can just throw them away and install your counterfeit rom instead.
Creating counterfeit chips and branding them as the real deal is a fairly large industry. Just look at the FTDI articles that have popped up a few times on Slashdot
Have to counterfeit the processor to backdoor (Score:2)
There is no need to actually infiltrate the factories manufacturing the original ROM since you can just throw them away and install your counterfeit rom instead.
No, you have to replace the entire processor with a counterfeit. The first "ROM" that starts the chain of signature checks at each level of software is burned into the processor and can not be changed.
https://www.apple.com/business... [apple.com]
Re: (Score:2)
even if you subscribe to the China-subverting-consumer-devices conspiracy theory (admittedly not as crazy as most other conspiracy theories), China would be better off taking the Apple money and investing that in other sabotage. counterfeiting iPhone hardware would inevitably be discovered and be catastrophic for China's tech industry.
Re: (Score:2)
Right, and Foxconn can't add their own signing keys to the devices when they're the ones burning the ROMs that hold them.
There is more than one "ROM", there is a series of them. The first "ROM" is burned into the processor. Foxconn does not operate the foundry that manufactures these processors. And it is probably part of the QA process to have Apple verify the ROM burned into the processor before they bang out a million of them.
"When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid
Re: (Score:1)
Re: (Score:2)
That's how Apple, a company with a habit of misleading consumers with regard to how their products actually function, claims it works. I'm not going to argue, because that's what the documentation says, but I also won't have a surprised look on my face (like you will) when it's proven false in a month.
You are absolutely correct. I will be incredibly surprised if Apple's more recent phones do not behave as described in Apple's documentation. When I have been shown to be wrong I will humbly pay for dinner for you and your significant other to celebrate your superior insight. :-)
Re: (Score:2)
But, then, I don't know anything about security, I just work in the industry.
Re: (Score:2)
I'm just guessing that Apple wouldn't do something so dumb as permanently burn a public key paired to a potentially (no matter how unlikely) guessable and (more likely) leakable private key into their CPUs, leaving themselves absolutely no way to revoke that key and replace it with a new one if someone cracks it or when someone leaks it. But, then, I don't know anything about security, I just work in the industry.
The key in question seems to validate only the firmware, other keys would validate other steps in the boot process. So its disclosure would seem to require physical access to the device to compromise it, or to compromise Apple's software update process which is secured with additional keys. So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone w
Re: (Score:2)
So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone when being 'searched'.
The former of which Apple simply does not want us to be able to do and the latter of which they want us to believe impossible. Oh, and it would be all law enforcement, as well as even the smallest of small-time hackers and data thieves.You do realize that, if the key gets out publicly (you know, since you mentioned people being able to load their own firmware), it's out there for everyone, right? Not just the good guys?
Re: (Score:2)
So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone when being 'searched'.
The former of which Apple simply does not want us to be able to do and the latter of which they want us to believe impossible. Oh, and it would be all law enforcement, as well as even the smallest of small-time hackers and data thieves.You do realize that, if the key gets out publicly (you know, since you mentioned people being able to load their own firmware), it's out there for everyone, right? Not just the good guys?
Of course, in case you forgot I wrote: "So its disclosure would seem to require physical access to the device to compromise it". Note that limits the number of hackers, and that they are also defeated by remote wiping. I assume law enforcement has some way to tell Apple not to remote wipe.
Re: (Score:2)
"So its disclosure would seem to require physical access to the device to compromise it". Note that limits the number of hackers
But it does open the stolen device market back up in a huge way.
and that they are also defeated by remote wiping.
Unless the thief turns the device off. Their hacker friend would then boot into DFU to load the new firmware, overwriting only the /system partition.
I assume law enforcement has some way to tell Apple not to remote wipe.
See above. Replace "thief" with "cop" and "hacker" with "technician".
If you think the impact would be negligible, you aren't very creative, friend.
Re: (Score:1)
i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.
Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it. But of course no Chinese company would ever do that to an American company.
So, do you think that an installation via JTAG bypasses code-signing? The installation probably does; but I would doubt the signature check would be bypassed upon execution.
Re: (Score:2)
Foxconn's other devices? The ones with the fruity logo?
Nope. Apple does their own Firmware for every single thing they design.
Re: (Score:1)
then the backdoors are there, they are just exclusive to apple for now
Prove it, or STFU.
If they don't already know (Score:1, Offtopic)
Comey and Putin will both be sooo happy
Assume all are vulnerable with physical access. (Score:2)
This is good. A way to make unlocking the bootloader easier.
We should all already assume that a person with extended physical access to a phone can get control over it.
The only protection is full-device encryption with a strong password. (Or PIN with crypto chip done better than the iPhone the FBI was recently in the news over.)
We don't want to have to enter that every time we unlock the screen, so a compromise is to use the encryption password on boot-up, and a fingerprint/PIN/pattern on screen unlock.
Re: (Score:1)
And you missed the part where the file system still is encrypted even after the system boots.
Re: (Score:2)
Anyone sufficiently motivated (eg. intelligence services) could desolder the flash chips and get infinite attempts anyway. The question in this case is it better to have a completely secure device that you can't root or otherwise customise, or a device with physical access vulnerabilities that you have more control over.
Re: Assume all are vulnerable with physical access (Score:2)
This affects the Nextbit Robin, which is already bootloader unlockable (just run "fastboot oem unlock-go" and that's it).
Unaware - or (Score:2)
"Unaware" - more likely they are aware but are not permitted to talk to anyone about it.
Re: (Score:1)
Sure.
If you suspect an elite team of ninjas running around and connecting to the phones with USB.
Jailbreak (Score:5, Interesting)
Can I use this to jailbreak my own phone? Please share if so.
We need a *COMPLETE set of SOURCE CODE* (Score:3, Insightful)
Anybody who thinks they have any security or privacy what-so-ever on there phone is kidding themselves. Cellular phones are designed in such a way to enable tracking for the purpose of providing service. You can't avoid it, and at best we might be able to design a communication device (which has never been done) that reduces the resolution at which tracking can or need occur. The solution to the security (as opposed to tracking) problems is to release the complete set of source code. That won't make devices secure in and of itself, but it is an essential first step. The next would be reducing the code base such that the code could be properly cleaned up, audited and analysed for vulnerabilities, and hopefully fixed. These phones are also designed such that the modems have complete control over the entirety of the device or near-so. Once that is true (which it is for all or near all phones) you can't secure it. It's just not possible. The modem most be separate and not have access to memory/mic/etc or at least without the core OS giving it permission. The modem firmwares can and are remotely updated and have been used to remotely record and bug users. Cell phones are extremely dangerous devices.
Re: (Score:1)
yeah, but unless you also control/audit the compiler and so on, all the way down to the chip fab, you're never gonna be 100% sure it's clean.
eg - what if Intel/Qualcomm/etc have their own backdoors built in, per order of the US government? Google/etc certainly have their own features built in. http://www.pcworld.com/article... [pcworld.com] or https://www.wired.com/2013/05/... [wired.com]
Or, what if there is some malicious Easter egg built into the chip? etc, etc...
OK, So ... The pay is not so good ... (Score:4, Insightful)
So how many programmers have put in ostensible 'back doors' or let us say 'faults' so they can sell those "mistakes" to hackers for big $s.
Come on now, don't tell me the programmers in China and Taiwan are STUPID.
Re: (Score:2)
So that is how Kingroot is able to root even the most obscure devices.
Re: (Score:1)
Occam's razor:
a) The developers are fairly smart and intentionally left a debugging feature available knowing that it would be fairly easy to spot if someone looked in the right place, then sold the knowledge of the backdoor for big bucks.
b) The developers forgot to disable a debugging feature.
Re: (Score:2)
Does the NSA count as "hackers"?
They paid RSA $10M for a backdoor: http://thehackernews.com/2013/... [thehackernews.com]
Re: (Score:2)
I warned about this for years, no one listened. (Score:2)
iOS devices must have Apple signed firmware (Score:2)
Re: (Score:2)
I'm reminded of the ProASIC3 FPGA backdoor debacle of a few years ago. Basically, that FPGA uses hardware AES to allow the FPGA user to specify a cryptographic key to protect the loaded IP from tampering and reading.
There was an undocumented JTAG command found by security researchers at the University of Cambridge which allowed reading protected areas of the FPGA configuration including the user secret key and thereby foiled the protection provided by the hardware AES crypto.
According to the FPGA manufactu
Re:I warned about this for years, no one listened. (Score:5, Interesting)
Its the US products brand on the device with US testing, spec and support.
Designed to US brands spec, per production run and contract.
The only easy way to secure a product is to make it in house. Have your own fab running in the USA or trusted 5 eye like nation.
US production runs in global factories are just puzzles to the smart international staff.
How many humans are needed, humans and robots or robots per part.
Also the same products have to sell globally. A lot of police forces/mil/govs just do not allow any device they cant totally access to be part of their national telco networks.
No need to run per nation production lines. Just have a police backdoor compliance per device, not need for extra production teams. The security services are happy, no per nation bans or competing products be granted access to lucrative markets.
Re: (Score:2)
I'm sure... (Score:3)
I'm sure Apple has no back-doors, Foxconn or not.
Samsung prefers actual explosions (Score:2)
Android - Secure By Design (Score:4, Interesting)
Secure by design - and insecure by design as well.
Does this mean.... (Score:2)
Class action lawsuit most definitely in order (Score:1)
"intruder with USB access" (Score:2)
It's a truism that if someone has physical access to a device, they can compromise it. Modulo any time/money requirements such as (worst case) cloning the device to brute-force it.
Pork explosion... really? (Score:3)
Security defects have to be explained to managers in order to justify spending time and money on fixes. Going to a manager and saying "we have a problem with pork explosion" is a good way to ensure that you'll be dismissed out of hand.
I don't know what peculiar mental abnormality is causing security researchers to keep trying to top each other in coming up with the stupidest name possible for exploits, but they really need to re-think what they're doing and how it makes them look to the rest of the world.
The EVIL chinese again! (Score:1)
Now you see... (Score:3)
This is why I carry an iPhone. That way, I don't have to worry about a backdoor pork explosion in my pants. It's the little things, you know...
Re: (Score:3)
Foxconn make iphones too fruit fag lover.
So...humor? Ever heard of it? :)
'Accidentally', or 'intentionally'? (Score:2)
There's got to be a way to stop this sort of thing from happening. Perhaps an independent, 3rd-party testing agency that can sift through a phone to ensure there are no such vulnerabilities, and a government mandate that all phones must pass muster before being allowed for sale? Similar to how the FDA requires testing of medical devices before being allowed for sale in the U.S., except not so corrupt.