A security researcher has uncovered a debugging feature left in some Android firmware images on devices assembled by Foxconn that essentially serves as a fully functioning backdoor that can be exploited in as little as five seconds.
Researcher Jon Sawyer found the backdoor in a bootloader that Foxconn provides on some of the Android phones it assembles, specifically the Nextbit Robin and the InFocus M810. Sawyer said the backdoor, which he calls Pork Explosion, is the result of Foxconn leaving a debugging feature in the firmware by mistake.
“It’s obviously carelessness,” Sawyer said.
In order to exploit the issue, an attacker would need physical access to the device. But that’s just about all he’d need, Sawyer said.
“The ability to recompile the fastboot binary is the barrier. It’s relatively low,” he said.
Once the attacker has exploited the backdoor, he would be able to take any number of actions, including extracting data.
“It’s obviously carelessness.”
“Pork Explosion allows an attack with physical access to a device to gain a root shell, with selinux disabled through usb. The attack can be made through fastboot and the apps bootloader, or through adb if access is available. Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products,” Sawyer said in a post on the vulnerability.
The problem comes down to one command and Sawyer had to write a custom client in order to access the command. Once he did that, he could connect to the device over USB and send a specific set of bytes to the bootloader, which would then put the phone into factory test mode.
“While in factory test mode adbd is running as root, and it requires no authentication to access a shell through adb. SELinux is in a disabled state, and it is not permissive but fully disabled,” Sawyer said.
“In short, this is a full compromise over usb, which requires no logon access to the device. This vulnerability completely bypasses authentication and authorization controls on the device. It is a prime target for forensic data extraction. While it is obviously a debugging feature, it is a backdoor, it isn’t something we should see in modern devices, and it is a sign of great neglect on Foxconn’s part.”
Sawyer contacted Nextbit, which issued a fix for the problem on Tuesday. He also trued to contact Foxconn, both through the Google’s Android security team and the Qualcomm Produce Security Initiative, but said he received no response.
“About 90% of our users have already installed the October update and so are safe from this vulnerability,” Nextbit said in a blog post.
This story was updated on Oct. 20 to add the comment from Nextbit.
Image from Flickr stream of Preston Rhea.