A critical flaw impacting millions of mobile and internet of things (IoT) devices running NVIDIA’s Tegra processor has opened the door for several attacks, including device hijacking or siphoning of data.
The warning comes from a cybersecurity researcher, who discovered the flaw and asserts that the bug “affects every single Tegra device released so far.” He also created a proof-of-concept (PoC), called Selfblow, to exploit the vulnerability. NVIDIA recently released a patch for the bug (CVE‑2019‑5680) via a security bulletin.
The vulnerability is found in the Tegra system-on-a-chip (SoC) framework called Jetson TX1 L4T, used in devices that require low power consumption such as drones and IoT gear. It’s unclear how many chips utilize the vulnerable framework. However, the researcher said his PoC can flash (or reprogram) Tegra chips to run Jetson TX1, significantly enlarging the range of vulnerable devices.
“[The] proof of concept is using blobs from the Shield TV r30 release. In this example, running the flash_exploit.sh it can be flashed to the Jetson TX1. After booting the TX1 it will print a ‘Secure boot is broken!\n’ message to the uart0 before going into an infinite loop,” Balázs wrote.
The researcher’s PoC leverages what is called a cold-boot attack. That is when sensitive data becomes available to attackers via a computer’s RAM because the machine wasn’t shut down properly.
“This is an untethered cold-boot exploit, and as far as I can tell it affects every single Tegra device released so far. (Except the Nintendo Switch since it uses a custom bootloader.) Completely defeats secure boot even on latest firmware,” the researcher said. Secure boot is a security standard to help ensure that a device boots using only software that is trusted.
The high-severity bug (rated 7.7 on the Common Vulnerability Scoring System scale) traces back to the Tegra bootloader and a flaw in the “nvtboot” command, used for loading chip-level firmware.
The researcher first identified the bug in March. He said NVIDIA said it would fix the bug by May. “After four months I decided to give this to the public in good faith that will encourage them in fixing it so we can have a better, more secure devices,” he wrote. On Thursday, NVIDIA released the patch.