Android bootloader security and BootStomp: A PrimerPosted by NowSecure Marketing
Android bootloader security and integrity directly affects the security of the devices they run on. So when there’s news of bootloader vulnerabilities, the mobile security community takes notice. Recently, researchers identified six zero-day vulnerabilities in a number of Android bootloaders from major manufacturers. A tenet of the NowSecure mission is educating customers about the latest mobile security threats to help them maximize the security of the mobile apps they use and develop. This blog post offers a concise summary of the BootStomp findings and Android bootloader security, why the vulnerabilities matter, their impact, and what organizations can do about them.
What is BootStomp?
BootStomp is an open-source tool developed by a team of University of California, Santa Barbara researchers to analyze bootloaders and identify vulnerabilities. In August they presented “BootStomp: On the Security of Bootloaders in Mobile Devices” (whitepaper | slides) at the USENIX Security Symposium 2017.
Bootloader analysis has always been difficult because bootloaders are usually closed-source, and the researchers created the BootStomp tool to make it easier. Using their tool to analyze five bootloaders from popular device manufacturers, the researchers identified six previously unknown critical vulnerabilities and one previously known vulnerability:
- 5 zero-day vulnerabilities in the HiSilicon chipset used in the Huawei P8 ALE-L23 device
- 1 zero-day vulnerability in the NVIDIA Tegra chipset used in the Nexus 9 device
- 1 known vulnerability (CVE-2014-9798) in an older version of the Qualcomm LK bootloader
Root privileges are required to exploit the vulnerabilities, but the researchers argue that the bootloader should maintain its integrity even in the event that the higher-level Android OS is compromised. Even if root access is required, at least one of these vulnerabilities can allow an attacker to persist on the device and do so without being easily detected. The researcher’s presentation slides state that all of the vulnerabilities have been acknowledged by the vendors and fixed.
How does BootStomp affect Android bootloader security?
Bootloaders are low-level programs that launch the operating system (OS) when a system is turned on. Booting up is a multi-stage process. Each stage loads, executes, and verifies that the next stage is authorized and hasn’t been tampered with before executing it. Some of those verifications can be disabled (e.g., for development or customization purposes), and an attacker in control of the OS can insert untrusted input into the bootloader. Here’s one of the core issues (from the paper), “If an attacker can compromise the final stage bootloader, they will likely be able to also affect any functionality it contains, as well as any that it in turn loads, which in these cases, is the Android kernel and OS.”
Sound complicated? It is, and the UC Santa Barbara team has shed light on a previously murky area of Android integrity and security that even so remains rather perplexing. It’s important to note that this tool, and the researchers’ findings, break new ground in analyzing the security of bootloaders and hopefully enhancing that security. But, malicious individuals also have interest in learning more about bootloaders and using that knowledge to concoct methods to exploit bootloaders.
Boot integrity is a great origination point for trust within a mobile device. If a bootloader’s integrity is compromised, it can invalidate or circumvent almost every other integrity check or security mechanism that exists on a mobile device.
Android bootloader security takeaways from the BootStomp research
Organizations should consider a few things as a result of this new research:
- Don’t assume that mobile hardware or platforms are secure. Whenever new research exposes previously hidden aspects of mobile hardware and platform security, security issues are usually identified
- Despite fixes, many devices will remain vulnerable. While vendors have fixed the vulnerabilities, affected devices that are already in market or in production may not receive updates for a long time — if at all — because of challenges stemming from Android fragmentation
- For better or worse, BootStomp makes security analysis of bootloaders easier. This means an organization’s security analysts can use the open-source BootStomp tool to analyze bootloaders of interest, but so too can malicious individuals.
In sum: What do you need to do?
A mature mobile security program should both implement layers of security and consider that those layers can be circumvented. It’s critical to understand the security controls — often developed by the OS and hardware vendors — so that you know what those controls protect and how effective they are at any given time. Knowing why the security controls are in place and what assets they protect will help you assess the impact of new developments, such as BootStomp, on your organization. You can then evaluate mitigating controls that help you identify whether data has been compromised, minimize the impact, and implement additional controls if necessary.
Putting that approach in practice for a financial institution might look something like this:
- Understand what data could be compromised. In the case of persistent root access, it’s safe to say all app data is at risk.
- Define sensitive data (e.g., username, password, etc.) and functionality (e.g., funds transfer, check deposit, etc.) associated with the app. That includes branded apps and third-party apps that employees or customers rely on. The best way to determine and assess the security of an app’s functionality and the data it handles is with the NowSecure Platform for 360-degree coverage of mobile app security testing — the only to provide static, dynamic, and behavioral analysis for Android and iOS apps.
- Determine how to spot this sort of compromise in the wild. For example, monitoring for anomalous transactions coming from vulnerable Android devices or using your fraud system to identify an increase in money transfers from vulnerable Android devices.
- Identify additional controls for flagged devices or transactions (e.g., require two-factor authentication for those transfers or interaction with a call center). Determine what steps can be taken to operationalize those mitigations.
Mobile devices and apps are astonishingly complex, which makes securing them a challenge. That’s why the NowSecure dream-team of mobile security researchers dedicates themselves to exploring every nook and cranny of the mobile platforms to help make mobile safer. To learn how NowSecure and the NowSecure Platform can help you manage mobile app security risk or more specifically develop a programmatic approach to new mobile vulnerabilities such as those identified by BootStomp, e-mail us at [email protected] or fill out our contact form.