Bootloaders are one of the most vital parts of a smartphone’s system software, and researchers at the University of California, Santa Barbara, have found holes in bootloader codes from multiple major vendors thanks to a tool that they created to test them called BootStomp. The tool managed to find six critical security vulnerabilities across bootloaders from Huawei, Qualcomm, MediaTek, and NVIDIA, and found that a known flaw in Qualcomm’s bootloaders was still present and usable. Five of the six new flaws found were confirmed by the chipset vendors responsible, while one flaw has been denied.
The particular vulnerabilities found consisted mostly of memory corruption and privilege escalation bugs, including a part of NVIDIA’s bootloader code that could end up becoming user-accessible under the right OS conditions, as one example. Essentially, most of the vulnerabilities would either unlock the bootloader, preventing it from enforcing key security policies, or hand over control of key processes to the user privilege level. Tests were inconclusive on MediaTek hardware due to the bootloader’s unique structure, while an older Qualcomm bootloader fell victim to a known old bug, and the NVIDIA bootloader was only found to be vulnerable to the aforementioned privilege escalation bug. Huawei’s bootloader, as seen in its HiSilicon processors, had a total of five bugs found. Qualcomm’s newest bootloader code pulled from the company’s git repository was found to not have any bugs that BootStomp could find. Vulnerabilities in code that was working as intended, on the other hand, landed at a grand total of 12 across 36 potentially dangerous operational paths traced by BootStomp.
Bootloaders are typically hard to test due to their tightly closed and proprietary nature, but BootStomp is made to get around that limitation by following the security chain from the OS level down, just like a real device would. BootStomp is made to look for any potentially dangerous operational paths which are available, then take them on its way through the bootloader. Essentially, if BootStomp manages to get to a point that it could execute arbitrary code through normal, as-intended operations, it has found a vulnerability. If it encounters an operation that deviates from the conventions of the bootloader or does not work as intended – it has found a bug. Thanks to the way that bootloaders work, including core boot enforcement tools like Android’s Verified Boot and ARM’s Trusted Boot, new bugs and vulnerabilities can always develop. As of this writing, the makers of BootStomp are working together with many of the vendors whose bootloaders they tested in order to help close up security holes that were found as part of their initial round of testing.
