Security has become a huge problem nowadays, considering all the technology we have at our disposal. Black Hat conference deals with that sort of stuff, and by that I mean security issues of course. This year’s conference is taking place in Las Vegas and Dan Rosenberg was one of the speakers over there and yet again had interesting information to share with the world. Dan Rosenberg has exposed many security holes in Android over the years. Rosenberg was a rather interesting speaker on this year’s Black Hat. He came on stage and uncovered an unpublished security exploit which lets anyone (who is aware of it) unlock the bootloader of certain Android devices. As far as we know he didn’t release the full method or anything of the sort, just a description of what he has done which you can check out below the article. He successfully unlocked the Moto X’s bootloader and held an interesting talk along the way. He uncovered a security issue with ARM’s TrustZone which Qualcomm is using throughout the system, a system-wide approach if you will. Rosenberg said the following: “This vulnerability exists in all known Android devices that support TrustZone and utilize a Qualcomm Snapdragon SoC.”, except for the HTC One (M8) and the Galaxy S5 which have been patched, he said. Note that Rosenberg wrote the report on July 1st, so it’s a month old now and other devices might have been patched through various updates. As you know many manufacturers use Qualcomm processors in their devices. Rosenberg even mentioned some of these devices in his report, the likes of Nexus 4 and 5, LG G2, Samsung Galaxy Note 3 and some others. Don’t let this get you down though, considering he confirmed some devices have been patched already it could mean others have been as well, if they weren’t already they probably will be soon.
Update: Qualcomm has contacted us to let us know that they are aware of the vulnerability and have already fixed it: “Qualcomm Technologies takes the security of its products very seriously and invests to identify and address security vulnerabilities in our software before it’s made available to customers. We’re aware of this issue and have already made available software updates for our impacted customers to address the reported vulnerabilities.”
