Connect with us

Hi, what are you looking for?


Mobile & Wireless

Multiple Vulnerabilities Found in Mobile Bootloaders

A team of security researchers from the University of California, Santa Barbara has discovered a series of code execution and denial of service vulnerabilities in the bootloaders of popular mobile platforms.

A team of security researchers from the University of California, Santa Barbara has discovered a series of code execution and denial of service vulnerabilities in the bootloaders of popular mobile platforms.

Using a specially created tool called BootStomp, the researchers found six previously-unknown vulnerabilities, five of which have been already confirmed by their respective vendors. They also rediscovered a previously reported security flaw.

In a research paper (PDF) presented at the USENIX conference in Vancouver, Canada, the specialists explain that these issues impact the Trusted Boot or Verified Boot mechanisms that vendors have implemented to establish a Chain of Trust (CoT), where each component the system loads when starting to execute code is validated.

While this process should be immune even to attackers gaining full control over the operating system, the researchers discovered that the bootloaders take untrusted input from an attacker and that many of their verification steps can be disabled.

“Some of [the found] vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks. Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT,” the security researchers say.

Because bootloaders are usually closed source, performing analysis on them is difficult, especially when dynamic analysis outside of the target platform is involved. Thus, the researchers have created their own analysis tool, BootStomp, which “uses a novel combination of static analysis techniques and under-constrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”

The researchers analyzed bootloader implementations in platforms such as Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).

Advertisement. Scroll to continue reading.

The researchers discovered five critical vulnerabilities in the Huawei Android bootloader: an arbitrary memory write or denial of service when parsing Linux Kernel’s device tree (DTB) stored in the boot partition, a heap buffer overflow when reading the root-writable oem_info partition, a root user’s ability to write to the nve and oem_info partitions, a memory corruption that could lead to the installation of a persistent rootkit, and an arbitrary memory write vulnerability that allows an attacker to run arbitrary code as the bootloader itself.

BootStomp also found a vulnerability in NVIDIA’s hboot, which operates at EL1, thus having equivalent privilege on the hardware as the Linux kernel. Its compromise could lead to an attacker gaining persistence. The tool also discovered CVE-2014-9798, an already patched vulnerability in Qualcomm’s aboot that could be exploited for denial of service.

Because the discovered issues rely on an attacker’s ability to write to a partition on the non-volatile memory, which the bootloader must also read, the researchers propose a series of mitigations that include the use of hardware features present in most modern devices to remove this ability.

Related: Google Patches Nexus 6 Secure Boot Bypass

Related: Google Patches High Risk Vulnerability in Android Bootloader

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...