https://alephsecurity.com/2017/03/08/nexus9-fiq-debugger/
"This vulnerability has a very unusual attack vector – headphones. By exploiting this vulnerability we managed to leak stack canaries, derandomize ASLR, conduct a factory reset, and even access HBOOT, allowing for communication with internal System-on-Chips (SoCs) through I2C"
Class.
https://alephsecurity.com/vulns/aleph-2017009
The sensor communicates with the application processor via I2C bus #1, which also provides a firmware update interface. During the platform boot, the driver samples the SoC’s firmware’s version via chip address 0x5{c,d}, register 0x6. [...]It seems though that the firmware is not signed by Cypress, thus anyone having access to the I2C bus, can reflash the firmware of the SoC.
This is, er, impressive.
Mitigation is blocking access to I2C(!!!).
cynicalsecurity ->@bsd.network