PINDROP BLOG

Details of Nexus 6 Bootloader Flaw Emerge

Details have emerged on one of the high-risk vulnerabilities that Google patched in last week’s Android Nougat update, a bug that could allow an attacker to force a phone into a special boot mode that then gives him access to extra functionality and the ability to intercept calls and take other actions.

The vulnerability affects Nexus 6 and 6P phones and is in the Android bootloader. Security researchers at the IBM Security X-Force team, who discovered the flaw, say an attacker could use it to grab data packets going to and from a target device and also find the precise GPS location of it. An attacker can exploit the bug through the use of a malicious USB charger or malware on a computer connected to the device. A successful exploit gives an attacker access to special interfaces that typically aren’t accessible.

“These interfaces, notably the modem diagnostics interface, give attackers access to additional functionalities. This allows them to take over the Nexus 6 modem, thus compromising confidentiality and integrity. Access to the modem enables attackers to intercept phone calls, for example,” the X-Force analysis says.

“Furthermore, this level of access to the Nexus 6 modem allows attackers to find the exact GPS coordinates with detailed satellite information, place phone calls, steal call information and access or change nonvolatile (NV) items or the EFS partition.”

In order to exploit the vulnerability, the attacker would need physical access to the target device, which must have the Android Debug Bridge interface enabled. Once the phone is connected to the malicious charger or PC, the victim has to authorize it, at which point the attacker can send a specific set of commands.

“These commands will reboot the device with the special boot mode that enables the interfaces. Every future boot from this point forward will have the boot mode configuration enabled. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access. Therefore, the attacker only needs the victim to enable ADB once,” the analysis says.

An attack against the vulnerability also has other potential consequences for Nexus 6P devices.

“The vulnerability in 6P enables the ADB interface even if it was disabled in the developer settings user interface (UI). With access to an ADB-authorized PC, a physical attacker could open an ADB session with the device and cause the ADB host running under the victim’s PC to RSA-sign the ADB authentication token even if the PC is locked,” the X-Force analysis says.

“Such an ADB connection would enable an attacker to install malware on the device. PC malware on an ADB-authorized machine might also exploit CVE-2016-8467 to enable ADB and install Android malware. The PC malware waits for the victim to place the device in the fastboot mode to exploit the vulnerability.”

Image: TechStage, CC By-Nd license