พบช่องโหว่ของ Firmware บนมือถือ Android กว่า 25 รุ่นในหลายยี่ห้อ

นักวิจัยจาก Kryptowire บริษัทด้านความมั่นคงปลอดภัยบนมือถือและ IoT ของสหรัฐได้เผยถึงช่องโหว่กว่า 47 รายการใน Firmware และแอปพลิเคชันดั้งเดิม (ถูกติดตั้งมาก่อนจำหน่าย) บนมือถือ Android กว่า 25 โมเดลจากหลายค่าย เช่น Oppo, Vivo, ZTE, LG, Nokia เป็นต้น ในงาน DEF CON ที่จัดขึ้น ณ ลาส เวกัส โดยช่องโหว่มีระดับความรุนแรงตั้งแต่ทำให้อุปกรณ์ทำงานผิดพลาดไปจนถึงได้รับสิทธิ์ Root บนอุปกรณ์เลยทีเดียว

Credit: Maksim_Kabakou/ShutterStock

ช่องโหว่ที่มีระดับความร้ายแรงสูงหลายรายการนำไปสู่ผลลัพธ์ต่างๆ เช่น ผู้โจมตีสามารถได้รับหรือส่ง SMS จากมือถือของเหยื่อ บันทึกภาพหรือวีดีโอจากหน้าจอ ได้รับรายชื่อติดต่อ ติดตั้งแอปพลิเคชันจาก Third-party ได้ตามต้องการโดยที่เหยื่อไม่รู้ตัว แม้กระทั่งลบข้อมูลออกจากอุปกรณ์ เป็นต้น โดยช่องโหว่ถูกค้นพบบน Firmware และแอปพลิเคชันที่ติดตั้งมาเบื้องต้น ปัญหาคือบางแอปพลิเคชันก็ไม่สามารถลบออกได้และเช่นเดียวกับการลบ Firmware ในไดร์ฟเวอร์หลักๆ เพราะจะทำให้มีปัญหาต่อความสามารถในการใช้งาน

สำหรับรายชื่อผู้ผลิตมือถือที่ทาง Kryptowire อ้างถึงว่าได้รับผลกระทบคือ ZTE, Sony, Nokia, LG, ASUS, Alcatel, Vivo, SKY, Plum, Orbix, Oppo, MXQ, Leagoo, Essential, Doogee และ Coolpad นอกจากนี้ CEO ของ Kryptowire ได้แถลงข่าวการเปิดตัวแพลตฟอร์มระดับองค์กรใหม่ที่เอาไว้ทำทดสอบ Firmware และแอปพลิเคชันบนอุปกรณ์ Android ได้อย่างอัตโตมัติ พร้อมให้ความเห็นว่า “มือถือมีจำนวนนับไม่ถ้วนจึงเกิด Firmware หลายพันเวอร์ชัน ดังนั้นการทดสอบด้วยตนเองหรือการสันนิษฐานธรรมดาไม่สามารถหาช่องโหว่บน Firmware และแอปพลิเคชันได้เพียงพออีกต่อไป” ผู้ใจสามารถดูช่องโหว่ในรุ่นต่างได้ตามตารางด้านล่าง (Credit : BleepingComputer.com)

OEM
Model
OS Version
Description
Attack Requirements
Build Fingerprint
ZTE
ZMAX Pro
6.0.1
Send text messages
Local app on the device without any permissions
ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE
ZMAX Pro
6.0.1
Obtain all the text messages of the user and also insert, modify, and delete text messages
Local app on the device without any permissions
ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE
ZMAX Champ
6.0.1
A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop.
Local app on the device without any permissions
ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE
ZMAX Champ
6.0.1
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device without any permissions
ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE
ZMAX Pro
6.0.1
Obtain the numbers of contacts and numbers of people that the user has texted
Local app on the device without any permissions
ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE
Blade Spark
7.1.1
Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys
ZTE
Blade Vantage
7.1.1
A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys
Vivo
V7
7.1.2
Record the screen and write it to app’s private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed.
Local app on the device that does not require any permissions
vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo
V7
7.1.2
Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo
V7
7.1.2
Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Sony
Xperia L1
7.0
Take screenshot of the screen which can be used to examine the user’s notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys
SKY
Elite 6.0L+
6.0
Command execution as the system user via old version of Adups software
Local app on the device that does not require any permissions
SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys
Plum
Compass
6.0
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys
Orbic
Wonder
7.1
Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic
Wonder
7.1.2
A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic
Wonder
7.1.2
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Oppo
F5
7.1.1
Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file.
Local app on the device without any permissions
OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Oppo
F5
7.1.1
Command execution as the system user
Local app on the device without any permissions
OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Nokia
6 TA-1025
7.1.1
Take screenshot of the screen which can be used to examine the user’s notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
Nokia/TA-1025_00WW/PLE:7.1.1/NMF26F/00WW_3_32F:user/release-keys
MXQ
TV Box
4.4.2
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
MXQ
TV Box
4.4.2
Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them.
Local app on the device that does not require any permissions
MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
LG
G6
7.0
Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs.
Local app on the device that does not require any permissions
lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG
G6
7.0
Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app’s private directory by using path traversal.
Local app on the device and INTERNET permission to send out the data.
lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG
G6
7.0
Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
Leagoo
Z5C
6.0
Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact’s name (if any)
Local app on the device that does not require any permissions
sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo
P1
7.0
Take screenshot of the screen which can be used to examine the user’s notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo
P1
7.0
Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges.
Physical access to device
LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo
P1
7.0
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo
Z5C
6.0
Send text messages
Local app on the device that does not require any permissions
sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo
Z5C
6.0
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Essential
Essential
7.1.1
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device that does not require any permissions
essential/mata/mata:7.1.1/NMJ88C/464:user/release-keys & essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys
Doogee
X5
6.0
Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user’s messages. The recording is not transparent to the user.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the INTERNET permission to send out the data
DOOGEE/full_hct6580_weg_c_m/hct6580_weg_c_m:6.0/MRA58K/1479906828:user/test-keys
Coolpad
Revvl Plus
7.1.1
Obtain all the text messages of the user and also insert, modify, and delete text messages
Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad
Canvas
7.0
Provides the capability to set system properties as the com.android.phone user.
Local app on the device without any permissions
Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad
Defiant
7.1.1
Send text messages
Local app on the device without any permissions
Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad
Revvl Plus
7.1.1
Provides the capability to set system properties as the com.android.phone user.
Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad
Revvl Plus
7.1.1
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad
Revvl Plus
7.1.1
Send text messages
Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad
Canvas
7.0
Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad
Defiant
7.1.1
A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.
Local app on the device without any permissions
Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad
Defiant
7.1.1
Obtain all the text messages of the user and also insert, modify, and delete text messages
Local app on the device without any permissions
Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Asus
ZenFone 3 Max
7.0
A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus
ZenFone 3 Max
7.0
Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface.
Local app on the device without any permissions
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus
ZenFone 3 Max
7.0
Take screenshot of the screen which can be used to examine the user’s notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and EXPAND_STATUS_BAR permission is needed to expand the status bar
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus
ZenFone 3 Max & ZenFone V Live
7.0
Command execution as the system user
Local app on the device without any permissions
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys & asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1709.56-20171017:user/release-keys
Alcatel
A30
7.0
Take screenshot of the screen which can be used to examine the user’s notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys
Alcatel
A30
7.0
Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device.
The user needs physical access to the device and needs to bypass the screen-lock if it exists

About nattakon

จบการศึกษา ปริญญาตรีและโท สาขาวิศวกรรมคอมพิวเตอร์ KMITL เคยทำงานด้าน Engineer/Presale ดูแลผลิตภัณฑ์ด้าน Network Security และ Public Cloud ในประเทศ ปัจจุบันเป็นนักเขียน Full-time ที่ TechTalkThai

Check Also

[Black Hat Asia 2023] ทำลายห่วงโซ่: มุมมองของคนวงในเกี่ยวกับช่องโหว่ของห่วงโซ่อุปทานซอฟต์แวร์

ยินดีต้อนรับสู่มุมมองของคนวงในเกี่ยวกับช่องโหว่ของห่วงโซ่อุปทานซอฟต์แวร์ หัวข้อนี้ถูกนำเสนอโดยนักวิจัยด้านความปลอดภัยชื่อ Yakir Kadkoda และ Ilay Goldman จาก Aqua Security ซึ่งมีประสบการณ์มากมายในงานด้าน Red Team พวกเขาให้ข้อมูลเชิงลึกอันมีค่าเกี่ยวกับช่องโหว่ที่แฝงตัวอยู่ในช่วงการพัฒนาซอฟต์แวร์ ที่เผยถึงความเสี่ยงที่องค์กรต้องเผชิญในการรักษาความปลอดภัยของห่วงโซ่อุปทานซอฟต์แวร์

[Black Hat Asia 2023] สรุป Keynote วันที่ 1 เรื่อง “เตรียมตัวสำหรับการเดินทางอันยาวนานเพื่อความปลอดภัยของข้อมูล”

ข้อมูลถือเป็นปัจจัยที่ 5 ของการผลิต และความปลอดภัยของข้อมูล (Data Security) ก็ได้รับการจัดอันดับให้มีความสำคัญสูงสุดโดยรัฐบาลทั่วโลก ในประเทศจีน กฎหมายที่เกี่ยวข้องกับความปลอดภัยข้อมูล เช่น “กฎหมายความปลอดภัยของข้อมูล” และ “กฎหมายคุ้มครองข้อมูลส่วนบุคคล” ได้รับการประกาศใช้และมีผลบังคับใช้ในปี 2565 …