logo

Breaking Secure Bootloaders

Conference:  BlackHat USA 2021

2021-08-05

Summary

The presentation discusses vulnerabilities found in the RealFlow and nxpn series of NFC chips used in smartphones and embedded electronics. The vulnerabilities allow attackers with physical access to gain significant control over the devices. The presentation also details the process of identifying and exploiting the vulnerabilities, as well as the remediation efforts taken by Qualcomm and NXP.
  • RealFlow and nxpn series of NFC chips have vulnerabilities that allow attackers with physical access to gain significant control over devices
  • Identifying and exploiting vulnerabilities involved tracing firmware updates and modifying communication protocols
  • Remediation efforts involved patching vulnerabilities and altering bootloaders
  • Qualcomm and NXP were communicative and helpful throughout the process
The presenter was able to dump the bootloader from the nxpn series of NFC chips by modifying an eeprom pointer and redeploying the firmware. This vulnerability was disclosed to NXP in June 2020 and was patched in a phased rollout over the course of a year.

Abstract

Bootloaders often use signature verification mechanisms in order to protect a device from executing malicious software. This talk aims to outline actionable weaknesses in modern bootloaders which allow attackers to deploy unsigned code, despite these protection mechanisms.In the first phase of this talk, we will discuss exploitation of the bootloaders in modern Android smartphones, demonstrating weaknesses which allow for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption.In the second phase, we will discuss bootloader weaknesses in the secondary hardware used by smartphones. Using an embedded RF chip as a target, we will demonstrate reverse engineering techniques which identified weaknesses in the signature verification mechanisms of the firmware update protocols used by the bootloader, allowing for deployment of custom firmware to the chip.

Materials:

Tags: