Foxconn negligence leads to backdoor presence in two Android devices

Security researcher Jon Sawyer has found a backdoor in at least two Android devices, caused by the negligence of the manufacturer Foxconn. In this way, root access to the devices would be possible without authentication.

According to Sawyer, the vulnerability is located in Foxconn’s ‘apps bootloader’, which the manufacturer uses in various devices. So far, the researcher has found two vulnerable devices, the Nextbit Robin and the M810 from InFocus. He expects that there are more vulnerable devices, because Foxconn supplies devices for many smartphone brands. The leak, which Sawyer describes as a debugging feature, allows full USB access to a vulnerable phone without requiring authentication. Security by SELinux can also be circumvented in this way, according to the researcher.

The leak thus requires physical access, which would make it particularly interesting for forensic investigators. For example, to retrieve data from the device or to brute force encryption keys. The leak arises because the bootloader contains a command that allows an attacker to put the device in a ‘factory test mode’ and thus gain access. According to Sawyer, the presence of this capability is “a sign of Foxconn’s gross negligence.”

Vulnerable devices can be recognized by the partitions ‘ftmboot’ and ‘ftmdata’, according to the researcher. Following his discovery, he contacted Nextbit and Foxconn in August. According to the timeline, only Nextbit has released a patch so far. Sawyer states that many smartphone companies do not know that this backdoor is present in their devices. The researcher has named the vulnerability ‘Pork Explosion’, in his own words to mock companies that use a vulnerability as a PR stunt by giving it their own names.