Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Android Security Cellphones Google Operating Systems Privacy Software News Hardware Technology

Android Devices That Contain Foxconn Firmware May Have a Secret Backdoor (softpedia.com) 95

An anonymous reader writes from a report via Softpedia: Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone. By sending the "reboot-ftm" command to Android devices that contain Foxconn firmware, an attacker would authenticate via USB, and boot the device, running as root with SELinux disabled. There isn't a list of affected devices available yet, but Jon Sawyer, the researchers that discovered this hidden command, provides instructions on how to detect if a phone is affected. "Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer says.
This discussion has been archived. No new comments can be posted.

Android Devices That Contain Foxconn Firmware May Have a Secret Backdoor

Comments Filter:
  • by Narcocide ( 102829 ) on Thursday October 13, 2016 @07:32PM (#53073007) Homepage

    I'd be shocked if they only had one.

  • Like the reason that most companies encrypted or "secured" their boot systems was to prevent dark hats from getting into phones... something done when nobody asked for such a feature or even cares about security in the first place.
  • So how about... (Score:5, Interesting)

    by cheesybagel ( 670288 ) on Thursday October 13, 2016 @07:42PM (#53073053)

    Foxconn's other devices? The ones with the fruity logo?

    • i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.

      • Re:So how about... (Score:4, Informative)

        by Anonymous Coward on Thursday October 13, 2016 @09:38PM (#53073497)

        i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.

        Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it. But of course no Chinese company would ever do that to an American company.

        • Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it.

          No. Firmware must be signed by Apple. Any substitution or modification (or a bit hit by an alpha particle) won't have a valid signature and the hardware will refuse to run it.

          • Right, and Foxconn can't add their own signing keys to the devices when they're the ones burning the ROMs that hold them.

            Oh...

            Wait...
            • by tlhIngan ( 30335 ) <slashdot.worf@net> on Friday October 14, 2016 @02:18AM (#53074401)

              Right, and Foxconn can't add their own signing keys to the devices when they're the ones burning the ROMs that hold them.

              Oh...

              Wait...

              Considering the ROM in question is fixed in the fabs at TSMC or Samsung, it would be really hard to add another key. In addition, that would require the hardware have support for multiple signing keys.

              Even if the keys were programmed after the fact, the ROM code would generally just assume the next stage loader code must be signed with a key in a specific location in OTP. And in general, only one key is valid - the boot ROM has only so much space and having to check additional keys takes up additional logic that may or may not be available.

              So Foxconn would need to compromise two facilities, one in Texas (Samsung), one in Taiwan, change the masks ($100K each) that contain the boot ROM code and keys, then load on their compromised firmware.

              Oh yeah, and they need to hack Apple so Apple's firmware distributes the modified binaries as well. Apple's ROM code is so sophisticated it can reload the firmware from scratch which would wipe out any of the Foxconn changes. (DFU recovery mode reloads the entire OS).

              • by Anonymous Coward

                So Foxconn would need to compromise two facilities, one in Texas (Samsung), one in Taiwan, change the masks ($100K each) that contain the boot ROM code and keys, then load on their compromised firmware.

                That is a strange way to do it.

                If they are intentionally installing backdoors then they would have a government organization behind them so one time costs for masks isn't really an issue.
                There is no need to actually infiltrate the factories manufacturing the original ROM since you can just throw them away and install your counterfeit rom instead.

                Creating counterfeit chips and branding them as the real deal is a fairly large industry. Just look at the FTDI articles that have popped up a few times on Slashdot

                • There is no need to actually infiltrate the factories manufacturing the original ROM since you can just throw them away and install your counterfeit rom instead.

                  No, you have to replace the entire processor with a counterfeit. The first "ROM" that starts the chain of signature checks at each level of software is burned into the processor and can not be changed.
                  https://www.apple.com/business... [apple.com]

                  • even if you subscribe to the China-subverting-consumer-devices conspiracy theory (admittedly not as crazy as most other conspiracy theories), China would be better off taking the Apple money and investing that in other sabotage. counterfeiting iPhone hardware would inevitably be discovered and be catastrophic for China's tech industry.

            • Right, and Foxconn can't add their own signing keys to the devices when they're the ones burning the ROMs that hold them.

              There is more than one "ROM", there is a series of them. The first "ROM" is burned into the processor. Foxconn does not operate the foundry that manufactures these processors. And it is probably part of the QA process to have Apple verify the ROM burned into the processor before they bang out a million of them.

              "When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid

              • That's how Apple, a company with a habit of misleading consumers with regard to how their products actually function, claims it works. I'm not going to argue, because that's what the documentation says, but I also won't have a surprised look on my face (like you will) when it's proven false in a month.
                • That's how Apple, a company with a habit of misleading consumers with regard to how their products actually function, claims it works. I'm not going to argue, because that's what the documentation says, but I also won't have a surprised look on my face (like you will) when it's proven false in a month.

                  You are absolutely correct. I will be incredibly surprised if Apple's more recent phones do not behave as described in Apple's documentation. When I have been shown to be wrong I will humbly pay for dinner for you and your significant other to celebrate your superior insight. :-)

                  • I'm just guessing that Apple wouldn't do something so dumb as permanently burn a public key paired to a potentially (no matter how unlikely) guessable and (more likely) leakable private key into their CPUs, leaving themselves absolutely no way to revoke that key and replace it with a new one if someone cracks it or when someone leaks it.

                    But, then, I don't know anything about security, I just work in the industry.
                    • I'm just guessing that Apple wouldn't do something so dumb as permanently burn a public key paired to a potentially (no matter how unlikely) guessable and (more likely) leakable private key into their CPUs, leaving themselves absolutely no way to revoke that key and replace it with a new one if someone cracks it or when someone leaks it. But, then, I don't know anything about security, I just work in the industry.

                      The key in question seems to validate only the firmware, other keys would validate other steps in the boot process. So its disclosure would seem to require physical access to the device to compromise it, or to compromise Apple's software update process which is secured with additional keys. So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone w

                    • So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone when being 'searched'.

                      The former of which Apple simply does not want us to be able to do and the latter of which they want us to believe impossible. Oh, and it would be all law enforcement, as well as even the smallest of small-time hackers and data thieves.You do realize that, if the key gets out publicly (you know, since you mentioned people being able to load their own firmware), it's out there for everyone, right? Not just the good guys?

                    • So the fallout to Apple would seem to be mostly limited to people being able to load alternative firmware, it would be a 'jailbreak' thing. And for a very small number of people law enforcement could access their phone when being 'searched'.

                      The former of which Apple simply does not want us to be able to do and the latter of which they want us to believe impossible. Oh, and it would be all law enforcement, as well as even the smallest of small-time hackers and data thieves.You do realize that, if the key gets out publicly (you know, since you mentioned people being able to load their own firmware), it's out there for everyone, right? Not just the good guys?

                      Of course, in case you forgot I wrote: "So its disclosure would seem to require physical access to the device to compromise it". Note that limits the number of hackers, and that they are also defeated by remote wiping. I assume law enforcement has some way to tell Apple not to remote wipe.

                    • "So its disclosure would seem to require physical access to the device to compromise it". Note that limits the number of hackers

                      But it does open the stolen device market back up in a huge way.

                      and that they are also defeated by remote wiping.

                      Unless the thief turns the device off. Their hacker friend would then boot into DFU to load the new firmware, overwriting only the /system partition.

                      I assume law enforcement has some way to tell Apple not to remote wipe.

                      See above. Replace "thief" with "cop" and "hacker" with "technician".

                      If you think the impact would be negligible, you aren't very creative, friend.

        • i'd be really surprised if Apple outsourced their firmware development to Foxconn without auditing the shit out of it. they're pretty obsessive about that.

          Foxconn are the ones that build the hardware and install the software, they wanted to slip in a backdoor to idevices they are in the prime position to do it. But of course no Chinese company would ever do that to an American company.

          So, do you think that an installation via JTAG bypasses code-signing? The installation probably does; but I would doubt the signature check would be bypassed upon execution.

    • Foxconn's other devices? The ones with the fruity logo?

      Nope. Apple does their own Firmware for every single thing they design.

  • Comey and Putin will both be sooo happy

  • This is good. A way to make unlocking the bootloader easier.
    We should all already assume that a person with extended physical access to a phone can get control over it.
    The only protection is full-device encryption with a strong password. (Or PIN with crypto chip done better than the iPhone the FBI was recently in the news over.)

    We don't want to have to enter that every time we unlock the screen, so a compromise is to use the encryption password on boot-up, and a fingerprint/PIN/pattern on screen unlock.

    • This affects the Nextbit Robin, which is already bootloader unlockable (just run "fastboot oem unlock-go" and that's it).

  • "Unaware" - more likely they are aware but are not permitted to talk to anyone about it.

  • Jailbreak (Score:5, Interesting)

    by brunes69 ( 86786 ) <slashdotNO@SPAMkeirstead.org> on Thursday October 13, 2016 @08:35PM (#53073255) Homepage

    Can I use this to jailbreak my own phone? Please share if so.

  • by Anonymous Coward on Thursday October 13, 2016 @08:35PM (#53073263)

    Anybody who thinks they have any security or privacy what-so-ever on there phone is kidding themselves. Cellular phones are designed in such a way to enable tracking for the purpose of providing service. You can't avoid it, and at best we might be able to design a communication device (which has never been done) that reduces the resolution at which tracking can or need occur. The solution to the security (as opposed to tracking) problems is to release the complete set of source code. That won't make devices secure in and of itself, but it is an essential first step. The next would be reducing the code base such that the code could be properly cleaned up, audited and analysed for vulnerabilities, and hopefully fixed. These phones are also designed such that the modems have complete control over the entirety of the device or near-so. Once that is true (which it is for all or near all phones) you can't secure it. It's just not possible. The modem most be separate and not have access to memory/mic/etc or at least without the core OS giving it permission. The modem firmwares can and are remotely updated and have been used to remotely record and bug users. Cell phones are extremely dangerous devices.

    • yeah, but unless you also control/audit the compiler and so on, all the way down to the chip fab, you're never gonna be 100% sure it's clean.

      eg - what if Intel/Qualcomm/etc have their own backdoors built in, per order of the US government? Google/etc certainly have their own features built in. http://www.pcworld.com/article... [pcworld.com] or https://www.wired.com/2013/05/... [wired.com]

      Or, what if there is some malicious Easter egg built into the chip? etc, etc...

  • by BoRegardless ( 721219 ) on Thursday October 13, 2016 @08:42PM (#53073285)

    So how many programmers have put in ostensible 'back doors' or let us say 'faults' so they can sell those "mistakes" to hackers for big $s.

    Come on now, don't tell me the programmers in China and Taiwan are STUPID.

    • by johanw ( 1001493 )

      So that is how Kingroot is able to root even the most obscure devices.

    • by Anonymous Coward

      Occam's razor:
      a) The developers are fairly smart and intentionally left a debugging feature available knowing that it would be fairly easy to spot if someone looked in the right place, then sold the knowledge of the backdoor for big bucks.
      b) The developers forgot to disable a debugging feature.

    • Does the NSA count as "hackers"?

      They paid RSA $10M for a backdoor: http://thehackernews.com/2013/... [thehackernews.com]

  • ...does it allow locked bootloaders to be unlocked?

    It'd be nice for a "backdoor" to actually be a boon to consumers for once.

  • There are plenty of Chinese manufactured connected devices with back doors. I don't trust Foxconn. I wouldn't be suprised if iPhones have back doors as well. As a precaution I NEVER do any financial transactions on my phone. Don't use your social security number and birthday on your phone or unsecured PC or you will face Identity Theft for certian.
    • If there is a backdoor in iOS devices it was put there by Apple not Foxconn. Firmware must be digitally signed by Apple or the hardware refuses to run it. Foxconn has no opportunity to modify the firmware.
    • by AHuxley ( 892839 ) on Thursday October 13, 2016 @11:29PM (#53073959) Journal
      Its the US bands that trusted, supported, helped, upgraded and bought into low pay nations over decades.
      Its the US products brand on the device with US testing, spec and support.
      Designed to US brands spec, per production run and contract.
      The only easy way to secure a product is to make it in house. Have your own fab running in the USA or trusted 5 eye like nation.
      US production runs in global factories are just puzzles to the smart international staff.
      How many humans are needed, humans and robots or robots per part.
      Also the same products have to sell globally. A lot of police forces/mil/govs just do not allow any device they cant totally access to be part of their national telco networks.
      No need to run per nation production lines. Just have a police backdoor compliance per device, not need for extra production teams. The security services are happy, no per nation bans or competing products be granted access to lucrative markets.
    • Why would the hardware in your PC be less likely to be backdoored? It was probably made in the same foundries.
  • by dohzer ( 867770 ) on Thursday October 13, 2016 @10:11PM (#53073667) Homepage

    I'm sure Apple has no back-doors, Foxconn or not.

  • Samsung handsets have settled for actual explosions, instead of "Pork Explosions".
  • by mveloso ( 325617 ) on Friday October 14, 2016 @12:01AM (#53074067)

    Secure by design - and insecure by design as well.

  • .this can be used to Jailbreak/root an otherwise unrootsable phone? (just re-rooted my Kindle Fire after Amazon kindly decided to lock it back up for me through a forced OTA update. This time, I didn't foolishly neglect to disable all auto updating. Muhahahaha....)
  • Only a huge payout will make companies lose their appetite for such "accidental" and "I-didn't-know-about-it" backdoors in the future.
  • It's a truism that if someone has physical access to a device, they can compromise it. Modulo any time/money requirements such as (worst case) cloning the device to brute-force it.

  • by GrumpySteen ( 1250194 ) on Friday October 14, 2016 @07:53AM (#53075147)

    Security defects have to be explained to managers in order to justify spending time and money on fixes. Going to a manager and saying "we have a problem with pork explosion" is a good way to ensure that you'll be dismissed out of hand.

    I don't know what peculiar mental abnormality is causing security researchers to keep trying to top each other in coming up with the stupidest name possible for exploits, but they really need to re-think what they're doing and how it makes them look to the rest of the world.

  • we can call it URSS now? (new cold war! Kill the commies! / SARCASM)
  • by Shoten ( 260439 ) on Friday October 14, 2016 @09:25AM (#53075439)

    This is why I carry an iPhone. That way, I don't have to worry about a backdoor pork explosion in my pants. It's the little things, you know...

  • I'm voting for it having been 'intentionally' left there.

    There's got to be a way to stop this sort of thing from happening. Perhaps an independent, 3rd-party testing agency that can sift through a phone to ensure there are no such vulnerabilities, and a government mandate that all phones must pass muster before being allowed for sale? Similar to how the FDA requires testing of medical devices before being allowed for sale in the U.S., except not so corrupt.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...