It is very common for devices like Android to be assembled by third-party companies instead of the vendors themselves. One such company that is well-known for this is the Taiwanese manufacturer Foxconn. Foxconn has a business agreement to assemble Android devices for companies associated with Google, Qualcomm, and others. The extent of the business agreement is usually just assembly, but for a small number of companies, Foxconn also builds low-level firmware. This firmware has been on the radar of security researchers recently, namely because of the backdoor it contains.
In a blog post by Android researcher Jon Sawyer, the app bootloader backdoor, nicknamed "Pork Explosion," was identified as able to allow an individual to gain root on an Android with a physical device via USB. While Sawyer believes there are many more devices affected, he was able to definitively find the InFocus (M810) and Nextbit (Robin) in possession of the firmware. The vendors of these devices denied knowledge of the backdoor when confronted with the extensive data.
Sawyer pointed out that "the ability to get a root shell on a password protected or encrypted device... would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data." Can you think of any organizations that may benefit from this? If you are thinking that the answer to this, my dear, dear friends, is the NSA, CIA, and FBI, you would be absolutely correct. Law enforcement agencies getting root access to widely used phones like Android can easily circumnavigate all of the issues associated with surveillance laws. Some regard this flaw as just that, a flaw, a mistake. But I wouldn't be surprised if something a bit more sinister was going on. Where there's smoke there's fire, right?
Spying issues aside, Pork Explosion makes it easy for any malicious hackers to gain total control of an Android device. The biggest issue here is that there is nothing truly intricate about this backdoor. In an interview for Kaspersky Lab's Threatpost, Sawyer said, "We just saw Quadrooter... it was nothing special, and neither is this. It just happens. Vulnerabilities deserve attention and should be fixed."
While this is true, Sawyer loses me when he states that vulnerabilities like Pork Explosion "don’t deserve PR firms pushing them. It just scares the customer.” I understand that people should not be brought into a total panic state over backdoors, but it should be pretty damn close to that. Intentional or not, these backdoors allow total invasion of privacy and threaten your safety. In an era where nation-states promise incentives to Silicon Valley to build backdoors to allow Big Brother to grow, paranoia to a certain degree is absolutely healthy.
I think many in the InfoSec community avoid making supposedly "political" statements like this because they do not want to compromise their employment, nor do they wish to be the cause of friction in the IT community. I think it's time we spoke up a little louder, because issues like this are not going away.
Photo credit: M.M.Minderhoud, Paterm