[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Aleph Research: Google Nexus 9 Cypress SAR Firmware Injection via I2C (CVE-2017-0563)

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Aleph Research: Google Nexus 9 Cypress SAR Firmware Injection via I2C (CVE-2017-0563)
From: Roee Hay <roee.hay@xxxxxxx>
Date: Thu, 4 May 2017 06:15:21 +0000

Title:
====
Google Nexus 9 Cypress SAR Firmware Injection via I2C

Identifier:
========
CVE-2017-0563

Product:
=======
Google Nexus 9

Vulnerable Version:
================
Nexus 9 Android Builds before N4F27B - May 2017, i.e. before bootloader 
3.50.0.0143.

Mitigation:
=========
Install N4F27B or later (bootloader version 3.50.0.0143).

Technical Details:
==============
The Nexus 9 device contains a sensor SoC manufactured by Cypress. The sensor is 
managed by a driver available under drivers/input/touchscreen/cy8c_sar.c. The 
driver uses the sensor's data in order to regulate the radiation level emitted 
by the device.

The sensor communicates with the application processor via I2C bus #1, which 
also provides a firmware update interface. During the platform boot, the driver 
samples the SoC's firmware's version via chip address 0x5{c,d}, register 0x6. 
If it is different than the one available under /vendor/firmware/sar{0,1}.img, 
it initiates with a firmware flashing process (via I2C chip address 0x6{0,1}). 
It seems though that the firmware is not signed by Cypress, thus anyone having 
access to the I2C bus, can reflash the firmware of the SoC.

On Nexus 9 before build N4F27B, the I2C buses could be accessed by an 
unauthorized bootloader attacker:

1. Via the USB fastboot interface, accessible by the fastboot oem {i2cr, i2cw, 
i2crNoAddr, i2cwNoAddr} commands.
2. Via the HBOOT interface, available through UART (exposed by the headphones 
jack). 

These vectors are especially significant because theoretically they can be used 
by either a physical attacker (rebooting the device into fastboot) or by 
malicious chargers / headphones. For example, a malicious charger connected to 
an ADB-enabled device may reboot the device into fastboot if the user 
authorizes the charger. As for headphones, on builds before N4F26T they could 
reboot the device into HBOOT by issuing 'reboot oem-42' on the FIQ debugger 
prompt [3]. 

Full details can be found on our vulnerability report [1].

Patch:
=====
Google patched the vulnerability on build N4F27B / bootloader 3.50.0.0143 by 
restricting access to the I2C buses - The I2C related bootloader commands are 
no longer available.
Please note that although Google published the advisory on the April 2017 
Security Bulletin [4], the patch has been included only since the April 5 2017 
Security Patch Level, where the April Nexus 9 image (N4F26X) has the April 1 
2017 Security Patch Level, hence it does not contain the patched bootloader.

References:
==========
[1] Aleph Research Vulnerability Report. 
https://alephsecurity.com/vulns/aleph-2017009
[2] PoC. https://github.com/alephsecurity/PoCs/tree/master/CVE-2017-0563
[3] Attacking Nexus 9 with Malicious Headphones. 
https://alephsecurity.com/2017/03/08/nexus9-fiq-debugger/
[4] Google's Security Bulletin (April 2017).  
https://source.android.com/security/bulletin/2017-04-01#eop-in-htc-touchscreen-driver


::DISCLAIMER::
----------------------------------------------------------------------------------------------------------------------------------------------------

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as information 
could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or may contain viruses in 
transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on 
the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of the 
author and may not necessarily reflect the
views or opinions of HCL or its affiliates. Any form of reproduction, 
dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written 
consent of authorized representative of
HCL is strictly prohibited. If you have received this email in error please 
delete it and notify the sender immediately.
Before opening any email and/or attachments, please check them for viruses and 
other defects.

----------------------------------------------------------------------------------------------------------------------------------------------------


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] https://blogs.securiteam.com/index.php/archives/3171
Next by Date: [FD] ES File Explorer android app snoops data to China Unicom network via insecure HTTP
Previous by thread: [FD] https://blogs.securiteam.com/index.php/archives/3171
Next by thread: [FD] ES File Explorer android app snoops data to China Unicom network via insecure HTTP
Index(es):
- Date
- Thread