Android devices hold a large amount of information about its hardware and system that an average user might find difficult to access. But if the attacker knows Android’s secret codes, he can factory reset the device, find out its hidden camera information, instantly back up user’s sensitive data and much more.
Most of these secret codes come from the factory-installed apps such as EngineerMode or wt_secret_code_manager, and few may be embedded in the basic apps such as contacts, calendar and so on. In 2017, a security researcher pointed out that oneplus device has a backdoor in EngineerMode app for diagnostics mode which can lead to root exploit. On Twitter, Qualcomm VP of Product Security Engineering Alex Gantman stated that the EngineerMode app was not authored by Qualcomm but others who had built it on top of a previous testing app. Engineeringmode app and other apps which have the secret codes mostly are built-in system-signed and these apps have lots special and externally accessible privileges for convenience, so there are lots of exposed attack surfaces and may bring lots damage for the users.
In this presentation, we will introduce many authentication bypass and privilege escalation vulnerabilities in the top mobile vendors’ phones. Among them, most are system reset bypass. We also find that lock-screen PINs are leaked through logcat in several phones. What’s more, in some devices using the Engineeringmode can reboot to Qualcomm’s Kernel FFBM mode which need to erase misc partition to exit. The misc partition in android device contains many important information about the settings such as usb/CID（Carrier or Region ID), which may influence the device’s functions if this partition is damaged. Even worse, the OTA update may be controlled. All the vulnerabilities found by us breach Android’s permission system. We also build a fuzzing tool which can scan through all available secret codes on the device.
To demonstrate the effectiveness of our method, we apply it on OEM devices such as Samsung, Huawei, oppo, vivo, meizu, xiaomi and Smartisan OS. This has found an average of 5 vulnerabilities on each device due to secret code leakage. We have identified in total 50+ bugs and vulnerabilities, including many severe ones. During the presentation, we will select typical ones to demonstrate, aiming to inspire the community with those vulnerabilities that have not yet been identified and shown by other methods.