Arms Race: The Story of (In)-Secure Bootloaders

Presented at ShmooCon X (2014), Jan. 18, 2014, noon (60 minutes)

Secure boot is the process that ensures the critical parts of software (e.g. kernel) running on a device are authorized and have not been tampered with. Many wireless service providers prefer to have a locked down version of their smartphones that can only boot the official kernel, and do not allow loading customized systems developed by users. This results in an arms race between the smartphone vendors and the users that need to load customized kernel.

This talk will present this arms race in terms of 3 rounds of hacks and patches between what we discovered and the patches released from Samsung and how we bypassed the patches again. For each round, we will present the bugs we found in Samsung bootloader, the exploitation to load customized kernel, the patch from Samsung, and how new exploitations bypass the patched bootloader. All the examples are based on different versions of bootloaders from Samsung devices (from Note II to Galaxy S4). We are currently working on extending our exploitations to more mobile devices.

Presenters:

• Kang Li
  Kang Li is currently an Associate Professor of Computer Science at the University of Georgia. He graduated with his Ph.D from Oregon Graduate Institute. Before joined University of Georgia, he was a research scientist at Georgia Tech. His research interests are in the areas of computer security and operating systems.
• Lee Harrison
  Lee is a computer security researcher and member of the CTF team disekt. His research interests include reverse engineering and mobile security. He currently resides in the state of Georgia.

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Samsung Pay: Tokenized Numbers, Flaws and Issues
• Black Hat Asia 2015 / Resurrecting the READ_LOGS Permission on Samsung Devices
• Black Hat USA 2020 Virtual / Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot