Friday, November 10, 2017

bootloader lock - What's the security implication of having an unlocked boot loader?


Nexus devices can be unlocked using the fastboot command fastboot oem unlock to install a custom firmware. For security reasons, the phone is wiped when this command is executed. However after this is done, most people leave the boot loader unlocked.


Devices that support unlocking the boot loader: SonyEricsson (now Sony), Sony, newer HTC devices, ??


Is there a security problem with an unlocked bootloader?
If this is the case, what can be done?



Answer



A permanently unlocked boot loader (BL) on a Nexus device is a big security risk.

It's only recommended for a pure developer phone.


An insecure BL enables all sorts of fastboot commands that can be used for e.g. doing the following:



  • Conduct a cold boot attack to recover the key for Android's full disk encryption

  • Make a copy of the device
    E.g. by booting a custom image (adb boot boot.img), then copying partition dumps

  • Erase data using fastboot erase

  • Flash arbitrary Android firmware, recovery images or radio firmware
    fastboot flash radio|recovery|boot|...

  • Install a root kit (boot custom recovery, then modify system files)


  • Steal Google/Facebook/whatever accounts stored on the phone

  • etc.


In case someone has their device encrypted, full access is not immediately possible. However there exists cracking software to brute force the used encryption PIN/passphrase. Altering the firmware is always possible (i.e. an evil maid attack, aka. installing a rootkit/password logger/etc.)


This is the normal process of modding a Nexus device:



  • unlock the bootloader (fastboot oem unlock)

  • boot/install insecure/open custom recovery

  • install custom firmware



To secure your modded device you should do this afterwards:



  • install a safe recovery image again (custom recoveries like TWRP/CWM are unsafe)
    use the extracted recovery.img from Google's factory firmware file, available here

  • relock the bootloader (fastboot oem lock)


This breaks the usual update mechanisms like RomManager. In case you need to upgrade, you can run flash_image recovery recovery.img (as root on the regular Android OS, it bypasses the BL lock) to install a temporary custom recovery again and use this once to upgrade the firmware and then remove the custom recovery again by doing a flash_image recovery stock.img. I know, this is not very user friendly right now, but let's hope the situation improves at the custom recovery front.


Some background on what's possible: http://hak5.org/episodes/hak5-1205 and http://www.youtube.com/watch?v=uM2_CpuzQ0o


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...