fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations

Authors: 

Roee Hay, Aleph Research, HCL Technologies

Abstract: 

We discuss the fastboot interface of the Android bootloader, an area of fragmentation in Android devices. We then present a variety of vulnerabilities we have found across multiple Android devices. Most notable ones include Secure Boot & Device Locking bypasses in the Motorola and OnePlus 3/3T bootloaders. Another critical flaw in OnePlus 3/3T enables easy attacks by malicious chargers – the only prerequisite is a powered-off device to be connected. An unexpected attack vector in Nexus 9 is also shown – malicious headphones. Other discovered weaknesses allow for data exfiltration (including a memory dumping of a Nexus 5X device), enablement of hidden functionality such as access to the device’s modem diagnostics and AT interfaces , and attacks against internal System-on-Chips (SoCs) found on the Nexus 9 board.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {206142,
author = {Roee Hay},
title = {fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations},
booktitle = {11th USENIX Workshop on Offensive Technologies (WOOT 17)},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/woot17/workshop-program/presentation/hay},
publisher = {USENIX Association},
month = aug
}