Breaking Secure Bootloaders

Presented at Black Hat USA 2021, Aug. 5, 2021, 10:20 a.m. (40 minutes).

Bootloaders often use signature verification mechanisms in order to protect a device from executing malicious software. This talk aims to outline actionable weaknesses in modern bootloaders which allow attackers to deploy unsigned code, despite these protection mechanisms.

In the first phase of this talk, we will discuss exploitation of the bootloaders in modern Android smartphones, demonstrating weaknesses which allow for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption.

In the second phase, we will discuss bootloader weaknesses in the secondary hardware used by smartphones. Using an embedded RF chip as a target, we will demonstrate reverse engineering techniques which identified weaknesses in the signature verification mechanisms of the firmware update protocols used by the bootloader, allowing for deployment of custom firmware to the chip.

Presenters:

• Christopher Wade - Security Consultant, Pen Test Partners
  Christopher Wade is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities, and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilizes as a part of the hardware testing team at Pen Test Partners.

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#breaking-secure-bootloaders-23085

Similar Presentations:

• Black Hat Europe 2019 / Breaking Bootloaders on the Cheap
• DEF CON 29 (2021) / Breaking Secure Bootloaders
• DEF CON 31 (2023) / Physical Attacks Against Smartphones