Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the OS bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone.

Foxconn is a Taiwanese company that assembles the electronic parts of several Android smartphone manufacturers (OEMs).

The reason this backdoor exists in the bootloader, the piece of code responsible for booting up the Android OS, is because various OEMs allow Foxconn to create and supply firmware for some of the electronics they use to glue all the parts of an Android device together.

Foxconn debugging feature acts as a backdoor

Jon Sawyer, a US security expert, discovered at the end of August that this firmware included support for booting up Android devices without having to go through the proper authentication procedure.

The researcher says that someone with physical access to the device, could connect it via USB to a computer, and use specific software to interact with the device during its boot-up procedure.

This kind of software is most likely a Foxconn debugger, but Sawyer was able to craft his own client and run the commands to enter this "factory test mode."

This test mode (aka backdoor) can be accessed via Fastboot, a protocol for handling boot-up commands. Sawyer says that the boot-up command to access the backdoor is "reboot-ftm," and can only be sent to the device using custom software, and not through Android or OEM-specific Fastboot interfaces.

"While it is obviously a debugging feature, it is a backdoor," Sawyer says, "it isn’t something we should see in modern devices, and it is a sign of great neglect on Foxconn’s part."

Backdoor accessible via USB, disables SELinux

But it gets even worse. When entering this factory test mode, Sawyer says the user is "root," with total control over the phone, and that SELinux, a major Android security component, is completely disabled.

"In short, this is a full compromise over usb, which requires no logon access to the device," Sawyer says. "This vulnerability completely bypasses authentication and authorization controls on the device. It is a prime target for forensic data extraction."

"Due to the ability to get a root shell on a password protected or encrypted device, Pork Explosion would be of value for forensic data extraction, brute forcing encryption keys, or unlocking the boot loader of a device without resetting user data. Phone vendors were unaware this backdoor has been placed into their products," Sawyer adds.

Unknown number of devices affected

This backdoor, which he (weirdly) named Pork Explosion, affects a large number of devices. Unfortunately, there isn't a list of affected OEMs and smartphone models at the time of writing.

Sawyer has provided the following information on how to detect Android devices affected by Pork Explosion.

“ For those looking to detect vulnerable devices, you can check for the partitions “ftmboot” and “ftmdata”. The “ftmboot” partition contacts a traditional Android kernel/ramdisk image. This one has SELinux disabled, and adb running as root. The “ftmdata” partition is mounted on /data during ftm bootmode. These partitions are only a sign that the device is vulnerable. ”