Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk
Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.
Security Oversight Puts Allwinner Users at Risk
Thankfully, this massive security flaw in their kernel has been fixed as of Allwinner’s most recent mainline release, although not all of the manufacturers using their processors are pushing the update, leaving those people without sufficient knowledge to do a manual update high and dry, for the most part. This development is of particular concern in the Bitcoin ecosystem, where hosting nodes on single board computers and installing wallets on mobile devices has become increasingly popular. While the cryptographic system used on the better mobile wallets is arguably more secure than comparable mobile payment processing apps, single command root access is one of the nastier exploits available to the less honest elements on the web. Having an Internet-connected Linux device that’s that easy to root is just asking for trouble, even if your private keys are not easily available to the intruder.
While no one should condone security flaws of this scale in their devices, there’s a lot of crying wolf going on at the moment, and before you throw out all of your Allwinner devices and convert all of your cryptos to paper cold storage, it’s important to understand that this type of “single command root” is not uncommon in ARM Linux kernels, as it makes developing for Android much more expedient. While Allwinner is certainly at fault for shipping a kernel with a single command root, it is unlikely that there was any malicious intent here. Someone just forgot to remove their development crutch before shipping the product. Security regressions like this are to be expected if you can’t easily build a kernel yourself for the device (or let the community do the same for you.)
Note that this single command root is limited to Allwinner ARM Devices without their most recent kernel, and SoC devices like the Raspberry Pi, or your Samsung smartphone are likely not affected, as they use other ARM SoCs. Although, if you can’t build a custom kernel for your device without pulling firmware or other trickery, this same exploit could just as easily happen to your system, as you’re putting your trust in the manufacturer to keep their development hacks out of their retail products. Something to consider when choosing the device and operating system for your next cryptocurrency node or wallet.
Thoughts on the state of Security on ARM devices? Be sure to leave them in the comments!
Images couurtesy of: Allwinner Technology, Wikimedia Commons