Project

General

Profile

Security & Privacy implications of used devices?

Added by Sean Pohl about 6 years ago

My question is if purchasing a used device could have potential security & privacy implications? I have never installed a different ROM before but I have used Fedora for years and that is the basis for my question. For example, when I have purchased a used laptop off Craigslist, I would always reinstall the BIOS before putting a fresh copy of Fedora onto the laptop. Although the chance of a BIOS virus is rare, better safe than sorry.

When I was looking at a few on-line tutorials about heimdall it looks like there are a number of files that can be used in flashing a new ROM to a device; some articles talked about some of the other fields like:

- Primary Bootloader
- Secondary Bootloader

Are these bootloader files analogous to a GRUB or LILO that I would use on my Fedora Linux boxes? Or are they the same or different than the role of the hardware BIOS on a traditional x86 motherboard? Are there other files that fulfill other similar functions?

It seems like the bootloader files are exclusive for the specific device that they are on. So I am betting that installing the wrong primary or secondary bootloader onto a device could well brick it. Kind of like installing the wrong BIOS update on an x86 motherboard would likely turn it into a piece of toast as well.

Much like BIOS virus are equally as unique to the motherboard they are rare, they unfortunately still exist.

My question is if it is possible to buy used device that is infected and not have a way to "re-install the BIOS" for lack of better wording. If that were the case then potentially any MOD that I were to put on to the device would still lend it to being compromised in a similar way to a rootkit virus?

I am a complete noob so I apologize if these problems don't exist in the mobile space or are already solved. My only frame of reference is the traditional x86 experience.

Thanks everybody!


Replies (5)

RE: Security & Privacy implications of used devices? - Added by Paul Kocialkowski about 6 years ago

The primary and secondary bootloaders are closer to the BIOS. The early stages setup the hardware, they chainlaod each other (primary bootloader chainloads the secondary, etc) and in the end, the last bootloader loads the kernel with a given cmdline from a specific location. This last part is more like what GRUB does.

I am betting that installing the wrong primary or secondary bootloader onto a device could well brick it.

It's actually even worse: the bootloaders are signed, so not only do they have to be device-specific and work correctly, but they also need to be signed with a particular key from the manufacturer. Sometimes, we even have the source code for the bootloader but cannot rebuild it and install it on the device because we cannot sign it. Any attempt to install such a build would brick a device (and we know that for sure since we tried). There are sometimes ways to recovery (after modifying one byte in a string on the bootloader image, the device was bricked and GNUtoo had to unsolder some resistors to make it boot from UART, where he sent a signed bootloader to make it boot).

My question is if it is possible to buy used device that is infected and not have a way to "re-install the BIOS" for lack of better wording. If that were the case then potentially any MOD that I were to put on to the device would still lend it to being compromised in a similar way to a rootkit virus?

Frankly, I don't think there are viruses for bootloaders on Android devices, because mostly, the userspace doesn't have the rights to flash the booloader partition. It could happen when installing a community ROM that would ship with its own bootloader though (but a community ROM shipping with a bootloader is very suspicious). But in any way, bootloaders are non-free, so they should be considered compromised and being just as bad as viruses. If you seek security, these devices are far from perfect.

I am a complete noob so I apologize if these problems don't exist in the mobile space or are already solved. My only frame of reference is the traditional x86 experience.

Your questions are relevant, it doesn't feel like you are asking anything obvious.

RE: Security & Privacy implications of used devices? - Added by Sean Pohl about 6 years ago

Thank you Paul. I have looked all over and only found systemic information about the Android boot process that referenced an Initial Program Loader (IPL) that handed over control to a Secondary Program Loader (SPL). Just curious, are those the canonical names of the Primary and Secondary bootloaders that I saw originally in the heimdall tutorial I found on-line?

Just wanted to say thanks again. I looked all over and only found info on the boot process, but never anyone who addressed the security & privacy issues with the bootloaders.

Thanks.

RE: Security & Privacy implications of used devices? - Added by Paul Kocialkowski about 6 years ago

I have looked all over and only found systemic information about the Android boot process that referenced an Initial Program Loader (IPL) that handed over control to a Secondary Program Loader (SPL). Just curious, are those the canonical names of the Primary and Secondary bootloaders that I saw originally in the heimdall tutorial I found on-line?

The bootloaders are very device specific. On some platforms, there is only one bootloader that is in charge of doing all the work, and sometimes, there are 3 different bootloaders (and maybe more). How they are called changes from a platform to another. On the Samsung exynos platform, they are usually called PBL and SBL for Primary (or Primitive sometimes) BootLoader and Secondary BootLoader. Also the very first piece of software that is executed (read-only binary that is burnt in the SoC) is called the iROM (on exynos) or the bootrom (on omap), etc. So names change, but what they do is essentially the same thing.

RE: Security & Privacy implications of used devices? - Added by Sean Pohl about 6 years ago

Thank you and thanks for the detail. I appreciate it.

RE: Security & Privacy implications of used devices? - Added by Daniel Kulesz about 6 years ago

Sean's concern is in fact valid and I also thought about similar things in the past. When considering security, the first question here is: what is the threat? In your scenario, I think you can consider two possible threats:

1.) The manufacturer of the phone or some software vendor in between the production chain has put a compromised bootloader on your device.
2.) The previous owner of the device (or some software he installed unintentionally) has compromised the bootloader, the firmware or other parts of the device

Obviously, the most expensive way to exclude the second threat is not to buy used phones. But as Paul has explained, it seems to be very hard to put anything else than the manufacturer's bootloader on the phone, so as long as you reflash all the other parts your phone should be software-wise pretty certainly in the state as if you bought it as a new device.

Now there is another concern with used, non-nexus devices: The ROMs contain many blobs (which don't need to be signed), but the vendors usually don't distribute them for reinstalling (the nexus devices are an exception here). So in case you want to use the blobs (i.e. use GPS or Wifi on certain Replicant-supported models) you would need to find a trustworthy source for obtaining these blobs. Of course, the blobs are also contained in other aftermarket firmware distributions like CyanogenMod, but I don't have the impression that they put effort into assuring that these blobs are not compromised. The blobs are basically extracted and published by individual ROM developers. This approach is questionable from the legal perspective as well, since phone manufacturer's usually prohibit publishing the proprietary software they shipped within the devices. That's probably the reason why other projects like i.e. FirefoxOS don't publish pre-built ROM images since they would be either partly functional (like Replicant) or legally questionable (like CyanogenMod).

    (1-5/5)