SOME ANDROID SMARTPHONES made by contract manufacturer Foxconn are 'infected' with potential malware that could be used to provide backdoor access for an attacker.
The malware, dubbed Pork Explosion by Jon Sawyer, the security researcher who found it, is a debugging feature that the manufacturer appears to have carelessly left on the devices.
However, the security flaw is so serious that a competent hacker could exploit a device in just five seconds, according to Sawyer, provided they had physical access.
Fortunately, the backdoor appears at this time to have made its way onto only a small number of fairly fringe devices, including the Nextbit Robin and the InFocus M810, although many more may be affected.
Nextbit has taken prompt action to mitigate the risks, added Sawyer. Indeed, the company issued a patch in its October update schedule that should fix the security flaw for Nextbit users.
"Pork Explosion allows an attacker with physical access to a device to gain a root shell with SELinux disabled through USB. The attack can be made through fastboot and the apps bootloader, or through ADB if access is available," said Sawyer in a blog post revealing the Pork Explosion flaw.
"Due to the ability to get a root shell on a password-protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products."
Sawyer uncovered the bootloader while examining the Nextbit device, noticing a fastboot command that "seemed out of place".
"Two types of fastboot commands exist, normal ones and OEM ones. Normal commands result in the command being sent over USB in a 'command:parameters' format," he explained.
"Normal commands are hard coded into the fastboot client. OEM commands are where non standard commands belonging to the device manufacturer are implemented."
However, the command in question was neither. "This command was supported by the mobile device, but a means of accessing it was not implemented in fastboot," said Sawyer.
"In order to interface with this command, a custom client had to be created. The custom client connects to the device, and sends the bytes 7265626F6F742D66746D (reboot-ftm) to the bootloader."
After issuing this command the phone boots into a factory test mode where it runs as root. "In short, this is a full compromise over USB which requires no log-on access to the device," he said. µ
Happy happy, joy joy
Because 7nm, geddit?
Machines go loco across Blighty
Imitation is the sincerest form of twattery