The Samsung Galaxy S4 hacked

With only a month on the market, Samsung Galaxy S4 has sold 10 million devices. Security expert Dan Rosenberg identified a trivial design flaw in Samsung's secure bootloader concept that allows arbitrary operating systems to be booted.

The S4 is sold unlocked and owners are free to install a customized version of Android. Security expert Dan Rosenberg identified a trivial design flaw in Samsung's secure bootloader concept that allows arbitrary operating systems to be booted. The bootloader checks whether the system has a valid digital signature (RSA-2048, SHA1). RSA with 2048-bit keys can't be cracked with current state-of-the-art technology, nor can a kernel be created that generates a given SHA1 hash value. The kernel would not need to actually boot, the goal is a pre-image attack – which has yet to be accomplished successfully.

Rosenberg didn't need to crack any crypto features. The specialist discovered that the bootloader loads the kernel that is to be checked into a memory address that he can determine. The address can actually be chosen in such a way that the code will overwrite the bootloader's check_sig() function before it is called by the bootloader. This function does a signature check and detects manipulated kernels. With Rosenberg's skilful memory manipulations, it will instead tidy up the memory a little and then return that "everything is OK".