We Did a Security Audit of the BQ Aquaris X2 and it Failed

We obtained a BQ Aquaris X2 and put it through the same internal security audit phones used for Sky ECC go through. Would this phone be acceptable for Sky ECC users? The answer is no. This phone failed our internal security audit and should never be trusted as a secure device.

No. 
The BQ Aquaris X2 did not pass our security audit.

The phone you choose has a very real impact on how secure you will be; regardless of how secure your app is. Some phones are more secure than others, and some are not secure at all—the BQ Aquaris X2 is not secure for a myriad of reasons. Here are the details on why this is wrong choice to build a secure phone on.

BQ Aquaris X2 fails security audit

Our security experts purchased a BQ Aquaris X2 from a local distributor. It looked good out of the box:

bq aquaris x2

If only it looked as good “under the hood” as it does in that photo. Our team found flaws with:

  • Secure Boot implementation
  • Boot Warning screen
  • Emergency Download Mode
  • Build quality

Each of these flaws will be looked at in more detail below, but can be quickly summarized as:

The BQ Aquaris X2 is not secure, 
and is not an acceptable platform for a secure smartphone. 

We will never use it for Sky ECC and we don’t recommend using the phone for anything related to protecting your privacy or security. Using the budget-conscious BQ Aquaris X2 compromises your security before the phone is even turned on. Before we delve into the BQ Aquaris X2 itself, let’s put things in context and talk about mobile phone security in general.

How modern phone security works

Cell phones were not initially secure in the slightest way: 

  • Data was stored and sent in the open without encryption
  • Calls could easily be eavesdropped on
  • Other exploits existed at an advanced level that we couldn’t have known then

We protect against these flaws now, or at least a secure phone has security features which do. Most people think passwords are the best way to protect devices, but what if the device you held was not truly the device you thought it was and your passwords didn’t matter? What if regardless of your password use, your private data could be sent off the phone without you knowing?

Ever heard of flashing custom software (ROM or Kernel) to a mobile device? 

Most are unaware of this problem and believe that the phone is secure right out of the box. Flashing the ROM or Kernel changes the core software on the phone to use someone else’s software, and can even be done maliciously at the factory before it reaches you. 

What if this custom software exists on your device, compromising the security from the start, but it still looked like the real deal from your favorite vendor? How would you ever know it was compromised?

You wouldn’t.

This is the worst, but not the only, flaw of the BQ Aquaris X2’s security failures. We’ll explore them in depth below.

Modern smartphone security starts when you turn it on

Companies like Google are making mobile devices more secure than ever with their Titan M Chip, an important Secure Element (SE). 

Not all phones have this cutting-edge technology. Many “bleed information” in comparison to Google’s own devices and implementation of Android, and the verified boot sequence is in the hands of the vendor. This boot sequence was in the hands of BQ and they failed to implement it properly.

Secure boot

Before the phone’s logo appears at the startup screen there is a sequence of events occurring illustrated in this flowchart:

This is how a mobile phone using Android chips starts, such as the BQ Aquarius X2. 

Only the Primary Boot Loader (PBL) is designed by the chip manufacturer. The Secondary Boot Loader (SBL) and onward is both designed and flashed to the device by each manufacturer, making it less secure than a dedicated Google product. This is unfortunately the case with the X2, and it’s made worse with further complications. The software loaded by the Secondary Boot Loader could possibly be flawed and dangerous.

Implementation of Secure boot

Since Android 8, Google has had Android Verified Boot 2.0. Allowing vendors to verify their own images with digital signatures, and unless the signatures match up, the phone won’t boot. If the vendor unlocks the boot loader and skips verification, the device should notify the user about the change when booting. The message letting the user know the security of the device cannot be trusted looks like this:

We tested this on a Google Pixel 3, which we use for Sky ECC, and it performed as designed and gave us the warning above. Passing this test is essential for any device to meet our zero-trust security policy. The Google Pixel 3 passed our security audit and is available for purchase in our store on all Sky ECC plans.

BQ Aquaris X2 fails secure boot security audit

The BQ Aquarius X2 did not perform as the (properly functioning) Pixel 3 did above. The X2 we tested shipped with the warning as optional instead of mandated. The vendor, BQ, chose not to include the functionality. Without this warning how would you know if the software running on your device is legitimate? 

The secure boot sequence is no longer in place, 
failing the BQ Aquaris X2’s security audit before we even started using it.

You wonder how could anyone upload firmware to my device without my password if the device was still OEM locked? That leads us to another security issue that is related to chipsets…

Emergency Download Mode

The diagram about the boot sequence had EDL boxes, for Emergency Download Mode. This allows: 

  • Files to be pushed to the device if it is bricked in the event of a disaster.
  • Required authentication to use EDL mode. 

This sounds good until…wait, BQ either leaked or released their authentication file to the public allowing anyone to modify core, essential software on these phones. Convenient, perhaps. Safe? Not in the least. There are known instances of rogue devices in the wild running unsigned images created by questionable parties.

Because of the way BQ disabled core boot protections and security, these potentially malicious files could find their way onto your device and you’d never know.

That is not good. Very not good.
This alone is an instant fail for our security audit.

The chart shows that EDL is the first step that is within the flow chart, and can load on demand or error. This means anyone can modify the software that controls the most crucial and basic parts of the phone. Once a device authentication file is released there is no turning back, meaning the X2 can never be made secure.

With the BQ Aquaris X2 we now have a combination of:

  • A device that is supposed to be “secure” where any user can push their own custom, possibly malicious, software to the device (potentially removing any security from the device)
  • Anyone can downgrade the firmware on the phone to execute known exploits (aka Kernel rollback, something all Sky ECC-approved devices protect against)
  • It’s possible to extract content from the phone because protections that secure data on the phone have been disabled, weakened, or removed
  • Malicious content can be added without wiping any content from the device 

All of these flaws are because BQ made changes to secure boot for some unknown reason. Worse is there are no warnings from BQ about these “changes”. People assume the phone they buy supports the most basic security. The foundation. The bare bones of protection. The BQ Aquaris X2 does not.

BQ Aquaris X2 fails Sky ECC security audit

The bottom line is the BQ device we tested failed the most basic security tests. We set a high bar for Sky ECC devices, and many fail our security audit. They could still be good phones, for the most part though.

However, the BQ failed so spectacularly
we don’t even recommend it as an everyday phone

Build quality issues with the BQ Aquaris X2

Security isn’t the only aspect where the BQ Aquaris X2 failed to meet our standards. The budget phone uses cheaper manufacturing practices to keep costs low, compared to the Google, Apple, and BlackBerry phones we use. It doesn’t meet our standards for the premium secure phones we want to sell to customers in these ways:

  • Large bezel: Modern phones are moving to a bezel-less design so that all you see on the front is what we call usable surface percentage. The X2 has a poor usable surface percentage at 75% compared to premium phones we offer in our store like the iPhone 11 Pro Max at 84%, or even the low-end iPhone XR at 80%.
  • Lower ratings: The BQ Aquaris X2 doesn’t meet the quality standards of even the cheapest iPhone in battery life, design, camera, connection strength, and more.
  • Cost-cutting on high-end model: They took the low-end model, swapped a polycarbonate back for a glass back, and upgraded the internals to make their “high-end” model. The difference between the high and low-end models is so minuscule they should have made one model.
  • Sound issues: The dual speakers have an issue with distorting and can sound thin, which is rare with dual speaker phones. This is another budget-conscious cut with lower quality speakers.
  • Camera issues: The rear-facing camera has a lower bitrate for video than higher quality phones (30MB versus 40MB), leading to grainy/blurry video when shooting action or moving subjects. The front-facing camera has poor stabilization, leading to very shaky selfie videos.
  • Accessories: Finding cases, screen covers, and other accessories for BQ phones is next to impossible due to it having few users.

All of these issues are fine for a budget-friendly phone, but are not what people expect when they buy a premium, secure smartphone. If you’re paying top-dollar for a secure smartphone you expect top-dollar features and build quality, but the BQ Aquaris X2 fails in this regard as well.

The BQ Aquaris X2 cannot be a secure smartphone

The BQ Aquaris X2 failed the security audit that we do for all of our phones—and failed the moment we turned it on. The X2 failed to meet the standards of our security audit in a number of ways:

  • Secure Boot implementation bypassed
  • Boot Warning screen disabled
  • Emergency Download Mode open to the world

These alone made it impossible for us to choose it for Sky ECC, even with our advanced app security features we could never trust the device itself. Compounding the security issues were its low-quality build:

  • Glass case on high-end model can shatter
  • Cost-cutting on high-end model making it not really high-end
  • Large bezel makes for poor body-to-screen ratio
  • Speakers distort and sound thin
  • Camera bit rates are low, leading to grainy videos
  • Accessories are difficult to find

Its lower build quality is fine if you want a lower-end, cheap phone, but it spectacularly failed security audit makes it not even well suited to casual use. For Sky ECC customers, and those who want a premium product with the best security available on the market, this is not a phone to build your secure messaging platform on.

Note: Significant contributions were made to this piece by Sky ECC’s penetration tester Andrew Fabbro, and we thank him for his time.

Share this post: