This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical access to a device can bypass the device’s user lock, gaining unrestricted access to the main screen and compromising the integrity of the system. Notably, this vulnerability arises from a flaw in the soft reset routine performed by the OS kernel, which lacks proper permission checks for user passwords, making feature/burner phones vulnerable to exploitation.
|Affected vendor & product
According to UNISOC, this issue is fixed in the latest release of Mocor OS.
|6.1 (Medium) CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|ONEKEY Research Lab
Mocor OS is a proprietary operating system developed by UNISOC (Spreadtrum), a company known for producing mobile processors primarily for feature phones. This OS is widely adopted by various feature phone vendors, including well-known brands such as Nokia, TCL, Alcatel, and others. The specific vulnerability we have identified affects devices utilizing the UNISOC SC6531E chipset; however, it’s important to note that similar vulnerabilities might exist across other System-on-Chips (SoCs) as well.
The affected devices mainly include basic/burner phones that have been available in the market from 2017 to the present day. According to UNISOC, more than a billion chips have been sold to various vendors, including Nokia, TCL, and several other white-label phone manufacturers. This widespread adoption of the vulnerable chipset makes a substantial number of devices susceptible to the security flaw.
The nature of the vulnerability allows an attacker with physical access to exploit the device using a small metal wire, effectively bypassing the security lock and gaining unauthorized access to the device’s functions and data.
1. The Mocor OS is vulnerable to a clock fault injection attack.
2. To perform the attack, connect the CLK pin of the SoC to GND (ground) for a duration of 50-100 milliseconds.
3. This action causes a crash of the Main OS, triggering a soft reboot by the SoC. However, during this soft reboot, certain permission checks that are normally performed during a regular reboot are bypassed.
4. Exploit the vulnerability by injecting the fault precisely during the user-lock prompt at boot. This successful injection will result in the user-lock password being bypassed, providing the attacker with full access to the device.
The following video demonstrates exploitation of the vulnerability and a successful bypass of the password-protected user lock screen.
In summary, addressing this vulnerability demands a holistic approach to software development, incorporating rigorous security checks and mitigation measures to bolster system defenses. Additionally, users must exercise caution with regard to the types of devices used for sensitive data storage and be proactive in adopting more secure alternatives when needed.
2023-03-30: Contacting vendor through firstname.lastname@example.org.
2023-03-31: Vendor responded and start analysis.
2023-05-25: Vendor confirmed the vulnerability and working on fix.
2023-06-16: Vendor requested one extra month to apply the patch.
2023-07-12: Vendor contacted with the CVE for the vulnerability.
2023-08-05: Vendor release the disclosure.