Security Advisory: Clock Fault Injection on Mocor OS - Password Bypass

Introduction

This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical  access to a device can bypass the device's user lock, gaining unrestricted access to the main screen and compromising the integrity of the system. Notably, this vulnerability arises from a flaw in the soft reset routine performed by the OS kernel, which lacks proper permission checks for user passwords, making feature/burner phones vulnerable to exploitation.

Clock Glitching to bypass security lock

Affected vendor & product	Mocor OS Tested on: Spreadtrum SC6531E (Nemo G) devices TCL, Nokia, Alcatel and more phones
Vendor Advisory	https://www.unisoc.com/en_us/secy/announcementDetail/1687281677639942145
Vulnerable version	All versions
Fixed version	According to UNISOC, this issue is fixed in the latest release of Mocor OS. As UNISOC does not publish release notes or version information about Mocor OS, we could not validate the fix.
CVE IDs	CVE-2023-3630
Impact (CVSS)	6.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit	ONEKEY Research Lab

Description

Mocor OS is a proprietary operating system developed by UNISOC (Spreadtrum), a company known for producing mobile processors primarily for feature phones. This OS is widely adopted by various feature phone vendors, including well-known brands such as Nokia, TCL, Alcatel, and others. The specific vulnerability we have identified affects devices utilizing the UNISOC SC6531E chipset; however, it's important to note that similar vulnerabilities might exist across other System-on-Chips (SoCs) as well.

The affected devices mainly include basic/burner phones that have been available in the market from 2017 to the present day. According to UNISOC, more than a billion chips have been sold to various vendors, including Nokia, TCL, and several other white-label phone manufacturers. This widespread adoption of the vulnerable chipset makes a substantial number of devices susceptible to the security flaw.

The nature of the vulnerability allows an attacker with physical access to exploit the device using a small metal wire, effectively bypassing the security lock and gaining unauthorized access to the device's functions and data.

Steps to reproduce the security issue

1. The Mocor OS is vulnerable to a clock fault injection attack.

2. To perform the attack, connect the CLK pin of the SoC to GND (ground) for a duration of 50-100 milliseconds.

3. This action causes a crash of the Main OS, triggering a soft reboot by the SoC. However, during this soft reboot, certain permission checks that are normally performed during a regular reboot are bypassed.

4. Exploit the vulnerability by injecting the fault precisely during the user-lock prompt at boot. This successful injection will result in the user-lock password being bypassed, providing the attacker with full access to the device.

The following video demonstrates exploitation of the vulnerability and a successful bypass of the password-protected user lock screen.

Key Takeaways

1. Importance of proper error handling and fault injection mitigation: This vulnerability highlights the criticality of implementing robust error handling mechanisms and thoroughly addressing fault injection scenarios during software development. Proper validation and error checking at various stages can significantly enhance the security posture of the system.
2. Rigorous checks for all paths leading to sensitive states: Conducting comprehensive security assessments that thoroughly examine all possible paths leading to sensitive states is essential. Identifying and addressing vulnerabilities in such pathways can prevent potential exploitation and ensure the overall security of the system.
3. Avoidance of reliance on implicit assumptions: Relying on implicit assumptions about system behavior can lead to unforeseen security risks. It is vital to explicitly validate and verify all security-critical operations and not solely rely on assumed protections and execution paths to safeguard against potential attacks.
4. Limitations of feature/burner phones for storing high-sensitive information: This vulnerability reinforces the fact that feature/burner phones are not designed to provide a high-level of security for sensitive information. Users should avoid relying solely on the device's password prompt for data protection. Instead, opt for more secure devices and encryption mechanisms when handling sensitive data.
5. Disposal of vulnerable devices containing sensitive information: For users who possess vulnerable devices that contain sensitive information, it is advisable to erase and dispose of these devices if physical security is a part of their threat model. Proper disposal ensures that potential attackers cannot gain unauthorized access to sensitive data stored on these devices.

In summary, addressing this vulnerability demands a holistic approach to software development, incorporating rigorous security checks and mitigation measures to bolster system defenses. Additionally, users must exercise caution with regard to the types of devices used for sensitive data storage and be proactive in adopting more secure alternatives when needed.

Timeline

2023-03-30: Contacting vendor through security@unisoc.com.

2023-03-31: Vendor responded and start analysis.

2023-05-25: Vendor confirmed the vulnerability and working on fix.

2023-06-16: Vendor requested one extra month to apply the patch.

2023-07-12: Vendor contacted with the CVE for the vulnerability.

2023-08-05: Vendor release the disclosure.

Reference

https://androidpctv.com/spreadtrum-sc6531-the-most-sold-soc-in-china-that-surely-you-didnt-know/

https://web.archive.org/web/20130205102750/http://www.spreadtrum.com/en/products/basebands/view/sc6531