According to researchers from the University of California at Santa Barbara, a total of six vulnerabilities were discovered in mobile bootloaders -- five of which were zero-days now confirmed by vendors -- which could be used to compromise a mobile device's bootloader system, execute arbitrary code, brick a device, or perform denial-of-service (DoS) attacks.
The bugs were found through the BOOTSTOMP tool, developed by the team, which used static analysis and dynamic symbolic execution to locate problem areas in mobile device firmware.
The tool discovered two bootloader vulnerabilities which could be used by attackers with root privilege to unlock devices and break the Chain of Trust (CoT) during boot up, which validates components as code is executed in running an operating system.
The researchers' report (.PDF) the vulnerabilities were present and tied to the chipsets and bootloader firmware used by popular vendors in their mobile devices.
Qualcomm chipsets are used in roughly 60 percent of today's mobile devices including the Google Pixel, HiSilicon Kirin-based technology is used in Huawei smartphones and tablets, MediaTek chipsets are found in devices including Sony ranges, and Nvidia chips can be found in the firm's own Tegra-based devices.
In particular, five different bootloaders were examined in devices from three different chipset families: Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), and Nexus 9 (NVIDIA Tegra chipset). Two versions of Qualcomm's LK-based bootloader were also investigated.
These chipsets contained six exploitable flaws discovered through BOOTSTOMP. A seventh issue, CVE-2014-9798, was already known and linked to an old version of the LK bootloader.
The researchers singled out Huawei in particular, as a bug discovered was deemed "quite severe [...] due to the architecture of the Huawei bootloader."
"This vulnerability would not only allow one to break the chain of trust, but it would also constitute a means to establish persistence within the device that is not easily detectable by the user, or available to any other kind of attack," the report says.
While unlocking a bootloader can be a valuable asset in security, it should only be done with consent and by the right people -- and certainly, should not contain bugs allowing attackers to do so in their stead.
"Of course, this is a very security-sensitive functionality; an attacker could unlock the bootloader and then modify the relevant partitions as a way of implementing a persistent rootkit," the report says.