Is that a vulnerability? I'd pay extra for it.
OnePlus 6 smartphone flash override demoed
The recently released OnePlus 6 smartphone allows the booting of arbitrary images, security researchers at Edge Security have discovered. According to the researchers, the trick is possible using the fastboot boot image.img feature on the BBK Electronics phone – even when the bootloader is completely locked and in secure …
COMMENTS
-
-
-
Wednesday 13th June 2018 06:17 GMT Waseem Alkurdi
If you need physical access and all it does is change the boot logo it doesn't sound like a big problem. Certainly I don't see why I should keep seeing the vodafone logo on my Q10 every time it boots up, my contract ended several years ago.
Suppose it was the boot logo (the boot image, which it isn't as other commentators and I have explained above.
It would still be a vulnerability.
What if the attacker loads a poisoned bootanimation.zip (which contains one or more images played as a fast slideshow on boot time.
The poisoned JPEG image files inside the bootanimation.zip could be theoretically used for a buffer overflow or some other attack (like the GDI+ buffer overflow attack years ago on Windows).
So there, even that is considered a vulnerability.
Edit: I don't see why @Dave 126 is getting downvoted. I totally see his point.
-
Tuesday 12th June 2018 12:17 GMT Dave 126
> Is that a vulnerability? I'd pay extra for it.
It is a vulnerability - it means anyone with physical access to your handset can put whatever they want in it without your knowledge. This is in contrast to a phone that requires the user to unlock it and turn on USB debugging and jump through other hoops before flashing it with a new OS image.
-
Tuesday 12th June 2018 12:56 GMT Richard 22
fastboot boot is a one-time boot only; it loads the image into RAM and then boots it. It doesn't flash that image to storage. However you could potentially boot somebody elses phone with such an image, remove the connection from the PC and they would use it without knowing - it would remain potentially compromised until next power off.
-
Tuesday 12th June 2018 16:34 GMT Dave 126
Given the upvotes given to Steve the OP, it would appear there's general misunderstanding here. Perhaps the article should be rewritten for clarity?
It is desirable for many owners to be able to load their choice of OS on their device. I can't see how it is desirable for an owner to be unable to prevent an attacker from loading an OS on their device - which is what this story is about.
-
Tuesday 12th June 2018 18:00 GMT Dave 126
Seriously, a lot of people here have got the wrong end of the stick.
https://www.xda-developers.com/oneplus-6-bootloader-protection-exploit-physical-access/
In no way can it be described as a 'feature'. The *option* to leave a Yale lock open using that little nubbin is a feature. This is akin to a lock that can't be locked at all - clearly a bug.
-
-
Wednesday 13th June 2018 03:48 GMT Anonymous Coward
Is that a vulnerability? I'd pay extra for it.
It is a vulnerability - it means anyone with physical access to your handset can put whatever they want in it without your knowledge.
Looks like you don't android. Normally it could be called a vulnerability. But you see, unlocking bootloader on oneplus device will use almost the same procedure with fastboot, like literally with just different commands. Both requires physical access and also lets you boot an boot.img like a custom recovery on the device to install custom rom.
It's just a small bug. the researchers are just trying to make it look big.
-
Wednesday 13th June 2018 11:44 GMT Cuddles
"This is in contrast to a phone that requires the user to unlock it and turn on USB debugging and jump through other hoops before flashing it with a new OS image."
Perhaps I'm missing something, but what exactly is the difference? The linked video shows someone using an unlocked phone with full access to everything. They already need to jump through hoops such as going through the Android settings menu to activate developer mode. What exactly does this "vulnerability" allow that couldn't already easily be done given the access required to exploit it? If someone has physical access to your unlocked phone plugged into their PC, exactly how much worse is it possible for things to get?
-
-
-
Tuesday 12th June 2018 11:22 GMT LeoP
So what
You need physical access .... hm, wasn't there something like "physical access = complete compromise modulo time interval" rule around? It seems to have fallen out of favour, though.
As for encrypted contents: If you store your key where it is accessible by a random boot image, you might just not bother at all.
-
-
Tuesday 12th June 2018 12:22 GMT Dave 126
A phone is more prone to being lost or stolen than a PC - or even just mislaid for half an hour. Of course if you have people's sensitive data on your laptop then you are legally obliged to encrypt it.
The issue here isn't that the OnePlus 6 can load an arbitrary boot image, but that an arbitrary boot image can be installed by someone other than the owner.
-
-
Tuesday 12th June 2018 15:48 GMT Dabooka
Next stage lose the PC
I assume (perhaps simplistically) that given time and the desire, this vulnerability could be harnessed into a USB OTG device, negating the need for a PC?
That'd be a big risk around here seeing how many phones are left on desks. Mind they're virtually all iThings anyway, but the point remains the same.
-
Wednesday 13th June 2018 05:57 GMT _LC_
Nothing but a small glitch.
Compare it to the general problem and make up your own mind:
https://www.wired.com/story/rowhammer-remote-android-attack/
...
Nearly four years have passed since researchers began to experiment with a hacking technique known as "Rowhammer," which breaks practically every security model of a computer by manipulating the physical electric charge in memory chips to corrupt data in unexpected ways. Since that attack exploits the most fundamental properties of computer hardware, no software patch can fully fix it. And now, for the first time, hackers have found a way to use Rowhammer against Android phones over the internet.
...