Pork Explosion : Another critical vulnerability that affects several Android smartphones

Smartphone security has been a hot topic in the industry and even more so, most of the fear for compromised security is targeted towards Android, that’s fact, whether it deserves that or not is up for debate. In the previous months we’ve seen Quadrooter exploits and then Dresscode malware among others, while none of those were as big a problem as they were initially made out to be, they were real problems and with the state of android fragmentation, most of the devices have not and will not be receiving any updates to seal those security holes.

Luckily though, Google works behind the scenes to ensure such threats don’t pose an issue. However, now we have another security hole that is said to be critical. 

Dubbed as Pork Explosion, this vulnerability was found by security expert Jon Sawyer, known more popularly in the android cummunity as Justin Case or jcase. He explains, “Pork Explosion is a backdoor found in the apps bootloader provided by Foxconn”

You may have heard the name Foxconn particularly in relation to big names like Apple and Nokia. Foxconn is a Taiwanese multinational electronics contract manufacturing company and it assembles phones for many companies. According to Wikipedia the major customers of Foxconn include :

Foxconn.jpg

If you’re wondering why do you need to know how big a deal Foxconn is, you are interested in the vulnerability, I’d like to highlight the statement by Sawyer again, “Pork Explosion is a backdoor found in the apps bootloader provided by Foxconn.”

This gives us an idea of how widespread this vulenerability could be. It affects the bootloaders of devices that were made by Foxconn. An outside command sent to your affected phone could restart it in a “Factory Test Mode” with elevated privileges and reduced security, in case of which, SELinux is switched from ‘enforcing’ to ‘disabled‘. The adb daemon (a term you may have come across if you’re into hacking and rooting) runs as root automatically. In simple words, this is an extremely vulnerable scenario for an android phone to be in.

Such access leaves your phone prone to any sorts of attacks and it wouldn’t matter how many precautions you took or how many antivirus apps you had installed. Your lockscreen can be bypassed, bottloader can be unlocked without wiping user data thus leaving your phone even more vulnerable. As of now, I can’t think of a lot of things that can’t be done to a phone in this state other than physical things which brings us to a very important point, this exploit does not work remotely and the attacker needs physical access to the device. So unless you lose your phone or something you’re safe.

There’s a lot more technicality involved in executing such an attack and if you’re interested in that I’d suggest you to read the article by Cody Toombs at Android Police. The link can be found below the article. The main takeaway is, that it’s not easy to exploit unless your name happens to be Felicity Smoak or Cisco Ramon.

So why does this backdoor exist in the first place you ask?

Smartphone manufacturers use the “Factory Test Mode” regularly to test out their software and the hardware they’re producing. With these elevated privilages they can run diagnostics that help them find particular issues and such. Usually, this mode, or any sort of access to it is sealed or removed entirely before a device is ready for the market. Foxconn, or someone at Foxconn, either forgot to to seal it up or just didn’t know this needs to be done. Perhaps a lack of understanding of the implications. It’s unlikely that someone or Foxconn did this intentionally.

Are all devices by Foxconn’s partners affected?

It’s not yet clear which devices are affected by this vulnerability but even considering the large list of Foxconn customers, I’d say it is not as huge as it could’ve been. It could be quite widespread but it could’ve been much worse.

Every phone made or assembled by Foxconn is not affected. Most large OEMs like Motorola, Sony or others do all the software themselves but some leave low-level firmware development to their manufacturing partners (like Foxconn). I can’t surely name these companies but these are usually the smaller brands. Android Police suggests older devices could also be vulnerable. This still makes it quite a long list of potentially vulnerable devices.

There is also something that should be noted, which is that even if Foxconn was involved in the firmware for a device, the bootloader may still have been done by someone else. Also, because of the heavy tinkering involved in most Android smartphones, it is possible the manufacturer took certain steps to ensure no one accidently stumbles onto the Factory test mode, this means that the commands for the exploit may not directly work.

So far, Sawyer has identified two devices with this backdoor, one being the Nextbit Robin and the other being  InFocus M810. Sawyer has already reported the issue to Foxconn and the manufacturers. Nextbit Robin has already issued a patch  on October 11th that fixes this exploit but I have no knowledge if Infocus has done something about it yet. Sawyer says he waited for Nextbit to release the patch before outing Pork Explosion.

Unfortunately though, there’s no app right now that will let you see if your device is vulnerable nor is there something that can be done to fix this.

Source : jcase via: Android Police

follow

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s