Bug in NVIDIA’s Tegra Chipset
A flaw affecting millions of mobile and internet of things devices running NVIDIA's Tegra processor opens to a variety of attacks, including device hijacking and stealing data. The bug affects every single Tegra device released so far. Triszka Balázs, who discovered the flaw, created a proof-of-concept, called Selfblow, to exploit the vulnerability. NVIDIA released a patch for the bug (CVE‑2019‑5680) by a < target="blank" href="https://nvidia.custhelp.com/app/answers/detail/a_id/4835">security bulletin.
The vulnerability is found in the Tegra system-on-a-chip framework called Jetson TX1 L4T, used in devices that require low power consumption such as drones and IoT gear. It's unclear how many chips utilize the vulnerable framework. However, Triszka Balázs said his PoC can flash Tegra chips to run Jetson TX1, enlarging the range of vulnerable devices.
The proof of concept uses blobs from the Shield TV r30 release. By running the flash_exploit.sh, it can be flashed to the Jetson TX1. After booting the TX1 it will print a Secure boot is broken! message to the uart0 before going into an infinite loop. The researcher’s PoC leverages what is called a cold-boot attack. That is when sensitive data becomes available to attackers via a computer's RAM because the machine wasn't shut down properly.
This is an untethered cold-boot exploit, and as far, it affects every single Tegra device released so far. The only exception is the Nintendo Switch since it uses a custom bootloader. The exploit completely defeats secure boot even on latest firmware. Secure boot is a security standard to help ensure that a device boots using only software that is trusted. Nvidia wrote, "The bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service or escalation of privileges."
Balázs believes NVIDIA is slightly downplaying risks associated with the bug. On Twitter he wrote: "In the end @nvidia given me a CVE. CVE‑2019‑5680. It got a 7.7 score, but the correct one is 8.1, since it doesn't require user interaction."