At the Black Hat conference in Las Vegas this week, computer security researcher Dan Rosenberg unveiled a previously unpublished security flaw that could be used to permanently unlock the bootloader on Android(s goog) phones. Demonstrated on a Motorola Moto X on Wednesday, the exploit affects almost any device using a modern Qualcomm(s qcom) Snapdragon chip.
The flaw is in ARM’s TrustZone technology, which basically allows a device to have two separate operating systems or “worlds,” one with privileged access, and one for normal apps and operation. By segregating access to hardware and sensitive information from the main OS, it’s possible to improve device security. But the flaw Rosenberg found is in TrustZone itself, or more specifically, Qualcomm’s implementation.
Qualcomm is aware of the security issue, and according to a spokesperson, has taken actions to patch the vulnerability: “We’re aware of this issue and have already made available software updates for our impacted customers to address the reported vulnerabilities.”
Rosenberg warns that this vulnerability affects all known Android devices with a Qualcomm Snapdragon SoC, including popular phones like the Nexus 5, the HTC One, and Samsung’s Galaxy Note 3, as well as the Moto X. The Samsung Galaxy S5 and the HTC One M8 have already been patched — although the exploit was only recently publicized, it was discovered at the start of July.
There are two ways of looking at this: First, it’s probably not good that a presumably trusted environment would allow anyone to execute arbitrary code — especially if that environment is underpinning a lot of security software, like Samsung Knox. But on the other hand, the unpatched exploit could lead to new devices getting bootloader unlocking methods, which would please people who like to tinker with their phone. Keep in mind, the full details of the exploit haven’t been published and it’s likely that device manufacturers are already working on patches.
The full report can be found here.
This article has been updated with Qualcomm’s statement.