A security researcher disclosed a vulnerability in the app bootloader from device manufacturer Foxconn that creates...
an Android backdoor.
The vulnerability, dubbed "Pork Explosion," can be dangerous, according to Android security researcher Jon "jcase" Sawyer in a pre-disclosure blog post about Pork Explosion. However, the overall risk of Pork Explosion appears limited to a small number of devices affected.
"It can gain execution on a phone without installing an app, enabling USB debugging, or visiting a webpage. No Faraday cage can protect you from the Pork Explosion," Sawyer wrote. "It can be used to root the phone, exfiltrate confidential data, bypass code-signing, bypass dm-verity, bypass lockscreens, brute force encryption keys and, yes, even completely circumvent the ever powerful NSA backdoor Linux Kernel security extension called SELinux."
"While we work to find a cheap PR firm and design a crappy logo with the responsible vendors to milk the publicity solve the issue. We realize the need to hype it for all it is worth warn the public," Sawyer wrote. "Pork Explosion is real; the realities are so overhyped scary that you won't believe it."
Sawyer noted in the official disclosure blog post that the problem arises from a custom fastboot command Foxconn created in its app bootloader. Foxconn is known for assembling phones for vendors, and some vendors also rely on Foxconn to build "low-level pieces of firmware."
So far, Sawyer identified two with vulnerable devices -- InFocus and Nextbit -- but said there are likely more vendors that are vulnerable. Sawyer said he has worked with Nextbit and a patch for the Nextbit Robin has already been released.
While the Android backdoor requires physical access to the vulnerable device, Sawyer said this could be a tool for law enforcement.
"Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data," Sawyer wrote. "Phone vendors were unaware this backdoor has been placed into their products."
Sawyer plans to release an app to help users detect if their device is vulnerable to Pork Explosion, but wrote that in the meantime, users could "check for the partitions 'ftmboot' and 'ftmdata'" on a device as proof of the flaw.
Learn more about Badlock and the problem with branded vulnerabilities.
Find out why New York considered backdoors to smartphone encryption.