Security vulnerabilities have been found in chipsets used by Huawei, Qualcomm, MediaTek, and Nvidia mobile devices.
According to researchers from the University of California at Santa Barbara, a total of six vulnerabilities were discovered in mobile bootloaders -- five of which were zero-days now confirmed by vendors -- which could be used to compromise a mobile device's bootloader system, execute arbitrary code, brick a device, or perform denial-of-service (DoS) attacks.
The bugs were found through the BOOTSTOMP tool, developed by the team, which used static analysis and dynamic symbolic execution to locate problem areas in mobile device firmware.
The tool discovered two bootloader vulnerabilities which could be used by attackers with root privilege to unlock devices and break the Chain of Trust (CoT) during boot up, which validates components as code is executed in running an operating system.
The researchers' report (.PDF) the vulnerabilities were present and tied to the chipsets and bootloader firmware used by popular vendors in their mobile devices.
Qualcomm chipsets are used in roughly 60 percent of today's mobile devices including the Google Pixel, HiSilicon Kirin-based technology is used in Huawei smartphones and tablets, MediaTek chipsets are found in devices including Sony ranges, and Nvidia chips can be found in the firm's own Tegra-based devices.
In particular, five different bootloaders were examined in devices from three different chipset families: Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), and Nexus 9 (NVIDIA Tegra chipset). Two versions of Qualcomm's LK-based bootloader were also investigated.
These chipsets contained six exploitable flaws discovered through BOOTSTOMP. A seventh issue, CVE-2014-9798, was already known and linked to an old version of the LK bootloader.
The researchers singled out Huawei in particular, as a bug discovered was deemed "quite severe [...] due to the architecture of the Huawei bootloader."
"This vulnerability would not only allow one to break the chain of trust, but it would also constitute a means to establish persistence within the device that is not easily detectable by the user, or available to any other kind of attack," the report says.
While unlocking a bootloader can be a valuable asset in security, it should only be done with consent and by the right people -- and certainly, should not contain bugs allowing attackers to do so in their stead.
"Of course, this is a very security-sensitive functionality; an attacker could unlock the bootloader and then modify the relevant partitions as a way of implementing a persistent rootkit," the report says.
The vendors have been made aware of the vulnerabilities and security patches have been issued.
Previous and related coverage
Pixel and Nexus owners will get the September Android patch as part of the Android 8.0 Oreo rollout.
The RAT has ramped up its technology and techniques to compromise victim PCs, but campaigns appear to have a political purpose.
National Instruments and Talos have clashed over whether the bug is a vulnerability or not.