Android may also be prone to backdoor access – through a debugging feature in the OS bootloader. However, only devices that have firmware developed by Foxconn appear to be inclined to this vulnerability. The OS bootloader can act as a backdoor and can bypass authentication procedures for an unauthorized third party with USB access to a vulnerable device. The issues has been disclosed by security researcher Jon Sawyer, who named the backdoor… Pork Explosion.
More about Foxconn
Pay close attention:
Hon Hai Precision Industry Co., Ltd., trading as Foxconn Technology Group, is a Taiwanese multinational electronics contract manufacturing company headquartered in New Taipei City, Taiwan. Foxconn is the world’s largest contract electronics manufacturer, and the third-largest information technology company by revenue.
The researcher explains that the backdoor may be found in many devices because “Foxconn assembles phones for many many vendors”. Plus, some of the vendors may choose to allow Foxconn to build many low level pieces of firmware.
The researcher has identified at least two vendors with vulnerable devices, InFocus (M810) and Nextbit (Robin), but he believes the list can be quite longer. Pork Explosion allows an attack with physical access to a device to gain a root shell.
Pork Explosion Attack Explained
According to the researcher, the attack can be made via fastboot and the apps bootloader, or via adb if access is available. Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be valuable for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data.
The worst thing is that phone vendors were unaware this backdoor has been placed into their products.
According to Sawyer, this is how one can detect Android devices affected by Pork Explosion:
For those looking to detect vulnerable devices, you can check for the partitions “ftmboot” and “ftmdata”. The “ftmboot” partition contacts a traditional Android kernel/ramdisk image. This one has SELinux disabled, and adb running as root. The “ftmdata” partition is mounted on /data during ftm bootmode. These partitions are only a sign that the device is vulnerable.
For full technical disclosure, visit the researcher’s page.