
Second Chinese Firm in a Week Found Hiding Backdoor in Android Devices - doener
http://www.bleepingcomputer.com/news/security/second-chinese-firm-in-a-week-found-hiding-backdoor-in-firmware-of-android-devices/
======
ryao
I am not surprised. Just about every consumer electronic device in China can
be assumed to be backdoored. Laptops are backdoored too:

[http://www.techworm.net/2015/08/lenovo-pcs-and-laptops-
seem-...](http://www.techworm.net/2015/08/lenovo-pcs-and-laptops-seem-to-have-
a-bios-level-backdoor.html)

Even the ISP provided routers are backdoored:

[http://www.computersolutions.cn/blog/2014/09/hacking-
shangha...](http://www.computersolutions.cn/blog/2014/09/hacking-shanghai-
telecoms-e8-wifiepon-fibre-modem/)

Some of the obvious backdoors are easy to circumvent. e.g. If a Linux
distribution is your operating system of choice, you automatically bypass that
Lenovo backdoor.

~~~
vardump
So, hypothetically speaking, say a laptop firmware has an SMM backdoor, how
does using Linux bypass it in _any_ way?

Such firmware could for example scan system memory for cryptographic keys and
send them over wifi or ethernet connection, without main OS even knowing.

SMM code is going to be executed at arbitrary times at highest possible
privileges regardless of operating system.

Also any microcontrollers inside laptop manufacturers' ASICs can also do
pretty much anything the manufacturer wants them to do (or possibly even some
other party compromises them to do).

Manufacturer itself might not even be aware they're shipping compromised
systems.

~~~
ryao
My Linux remark applied solely to the backdoor that used a ACPI table to make
Windows install malware on every boot, which I had linked. It did not claim
that installing Linux protected you from anything else.

~~~
vardump
That ACPI table payload is conditional and obviously OS dependent. Overall not
a huge threat.

SMM interrupt code comes from the very same BIOS image and is executed at
arbitrary times regardless of operating system. SMM code can do pretty much
anything it pleases, it runs at the highest privilege and priority level
possible.

~~~
ryao
Discussion of SMM interrupt code is irrelevant to the observation that
installing Linux protects you from a Windows specific backdoor. That was not a
claim that Linux provided safety against every possible backdoor. You seem to
be trying to debunk a claim that no one made.

~~~
vardump
I don't try to debunk anything.

I think it's just silly to talk about some ACPI table payload, when there's a
greater threat controlled by the same binary blob.

SMM can do anything that ACPI payload could do and more. And we need to _trust
the same entity_ for its integrity.

SMM is also operating system independent. It'll run no matter what operating
system end user runs.

~~~
ryao
If you were not trying to debunk anything, then this was a very poor choice of
words:

> So, hypothetically speaking, say a laptop firmware has an SMM backdoor, how
> does using Linux bypass it in any way?

Aside from that, good point.

------
secfirstmd
Phones, like antiviruses, modems, cloud provider etc increasing feel like a
case of "pick which nation state's backdoor you feel more comfortable with." I
find myself occasionally thinking (we work on human rights topics), well I
don't really piss off the USA or EU so I will buy say an antivirus from there
but I do piss off XYZ so I won't buy a product from there. What a mad world we
live in that software/hardware purchasing has a geostrategic component. It
always has done for government etc but now it does for the consumer.

~~~
linkregister
Is there any evidence for a government having a backdoor in Cyanogen or
another Android OS fork? Or, for that matter, a backdoor into iOS?

As far as the geostrategic component of telecommunications choice, when was it
_not_ like this? Postal letter: address logging, letter opening; telegram:
logging, transcription; land telephone: call logs and wiretapping; wireless
telephone: call logs and wiretapping; email (without STARTTLS): metadata
logging and interception; social network: government search order.

The modern encrypted methods of communication (iMessage, PGP, Signal) are the
first methods where one could feel comfortable about the local government
having extreme difficulty intercepting your communication.

I think it is essential to consider geography when deciding telecommunications
hardware, software, and service. There may have been a local maximum in the
early-mid 2000s, but this is only part of a long-term trend of improving
privacy in telecommunications.

~~~
tomp
Wasn't Apple's "goto fail" bug a partial backdoor into iOS? Considering how
long it took for it to be discovered, is it really so improbably that there
are similar, or more serious, backdoors in other software, even if open
source?

~~~
huxley
"goto fail" certainly could be used as a way of subverting iOS security but it
provided indiscriminate access in a way that seems more like a vulnerability
caused by a bug.

Maybe some actor did add the goto fail for nefarious reasons, but it can quite
easily be explained by a merge error.

It's not easy to explain this particular backdoor as anything but a backdoor.
From the article:

"The binary responsible for the firmware OTA update operations also includes
code to hide its presence from the Android OS, along with two other binaries
and their processes. A developer looking at active Android processes won't be
able to tell when there's an update coming to his phone."

------
huhtenberg
Details are missing.

If a device downloads updates over a non-secured channel, it doesn't
automatically mean that it will _execute_ the update unconditionally. For
example, a package might be signed with vendor's key, the public part of which
is shipped with the device. If the sig is missing or invalid, the device will
discard the package.

~~~
chrononaut
The original research article [0] provides more insight into the actual issue
at hand. Specifically, it enables the execution of arbitrary commands.

[0] [http://blog.anubisnetworks.com/blog/ragentek-android-ota-
upd...](http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-
mechanism-vulnerable-to-mitm-attack)

~~~
huhtenberg
Oh, jeez. That's a blatant backdoor alright.

------
x0x0
Ugh. I almost bought a Blu because they're super cheap and I thought I would
need to bridge a 10 day gap between a phone dying and the replacement
arriving.

It's really past time for Google to take control of Android and stop crap like
this.

~~~
tonyplee
We have choice between $100+ phone that send your info to China and $600+
phone that send your info to Google/FaceBook/Apple....

~~~
x0x0
I'm relatively confident that Google/Apple obey data opt-outs, if for no other
reason than there's class action lawyers who would love to sue them.

------
firewalkwithme
Has anyone come acoss a list of infected devices for this one, or the ones
infected with the adups spyware?

And more importantly, are there any kits/apps to detect or remove these?

~~~
chrononaut
The identified affected devices are listed in the provided CERT article. [0]
There are similar devices affected by this issue and the ADUPS spyware,
potentially a cross-section of BLU devices.

[0]
[https://www.kb.cert.org/vuls/id/624539](https://www.kb.cert.org/vuls/id/624539)

------
nl
_Researchers registered the other two domains_

I don't even know where to start....

~~~
gruez
what's the issue?

~~~
nl
So..

Here's a vulnerability which completely owns the phones it runs on. This is
the kind of thing which a few years ago would have been the scandal that would
destroy companies - the pre-SP1 Windows XP Microsoft vulnerabilities were
much, much less serious than this and yet Gates saw them as an existential
threat to the company.

But apparently vulnerabilities now are so common that - even when they are
deliberately put in - the company neglected to pay the ~$20/year to make sure
they kept access.

Additionally, for all the talk of how state-sponsored agencies are continually
grabbing every resource they could, here is one where they could have taken
over a large number of phones and yet failed to.

Additionally, for all the talk of how organized the PLA is.. clearly this
wasn't them.

------
be5invis
I think Hanlon's Razor can be applied to this example: They just do not think
that encryption is important. It is real for Chinese companies.

~~~
curt15
How does Hanlon's Razor explain the surreptitious nature of the firmware?

"Little is known about the Ragentek firmware. BitSight researchers said code
in the firmware goes out of its way to conceal the presence of the underlying
binary file. For example, it deliberately attempts to remain excluded from the
list of running processes returned by the Linux PS command."

[http://arstechnica.com/security/2016/11/powerful-
backdoorroo...](http://arstechnica.com/security/2016/11/powerful-
backdoorrootkit-found-preinstalled-on-3-million-android-phones/)

~~~
JumpCrisscross
On the other hand, the two domains left unregistered point to stupidity over
evil.

------
unlimit
Is there any way to check if my devices have backdoors? Almost everything is
made in China nowadays. :-(

------
boznz
What consumer devices are NOT made in China?

~~~
simongray
A lot of consumer hardware is assembled in China, but modern technology is
"made" from globally sourced components and talking about a country of origin
is disingenuous. And the software for Western brands is made in Western
countries, not in China.

------
mercurialshark
(Feigns shock)

