Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with physical access to execute arbitrary code. Protections like OS lock screen and reactivation lock can be defeated.

Download mode (a.k.a. ODIN) doesn't properly sanitize headers of flashed images. This can lead to integer & buffer overflows.

Bugs and exploitation technique are detailed in the paper released at SSTIC 2017 conference.

Proof-of-Concept

PoC code for Samsung Galaxy S5 has been released on GitHub

CVSS Version 3 Metrics

• Attack Vector (AV): Physical (P)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Overall CVSS Score: 6.8

Solution

Samsung has released a fix via OTA.

Disclosure Timeline

• 2016-12-20 Disclosed to Samsung
• 2017-03-07 Public disclosure in Samsung Bulletin SMR-MAR-2017
• 2017-06-08 Talk at SSTIC 2017 conference
• 2017-07-21 Proof-of-Concept released