Google quietly patched a serious vulnerability in the Android image used on some Nexus devices that could allow an attacker to get full access to a device’s memory even while it was locked.
The bug could have been exploited by a remote attacker or someone who had physical access to a vulnerable device. Researchers from IBM’s X-Force team discovered the vulnerability several months ago and reported it to Google, who patched it in March. The issue affected some of the Android images on the Nexus 5X phone, which is sold by Google.
“The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked. Clearly such an ability would have been very appealing to thieves,” Roee Hay of the X-Force said in a post explaining the bug.
“The vulnerability could have been exploited by physical or nonphysical attackers with Android Debug Bridge (ADB) access to the device. A nonphysical attacker could gain ADB access by infecting an ADB-authorized developer’s PC with malware or by using malicious chargers targeting ADB-enabled devices. Using such chargers requires the victim to authorize the charger once connected.”
In order to exploit the vulnerability, an attacker with physical access to the Nexus device could press the volume down button during the boot process, which would put the phone into fastboot mode. A remote attacker with the necessary ADB access can accomplish the same thing by issuing the adb reboot boot loader command. Both methods expose a USB interface which isn’t meant to allow security related operations to occur. But the X-Force researchers discovered that by issuing the fastboot oem panic command they could cause the bootloader to crash.
“The problem is that in the vulnerable versions of the bootloader, such a crash would cause the bootloader to expose a serial-over-USB connection, which would allow an attacker to obtain a full memory dump of the device using tools such as QPST Configuration. The resulting memory dump files would then be available under the attacker’s PC,” Hay said.
The vulnerability only affected Nexus 5X devices running Android 6.0 MDA89E through 6.0.1 MMB29V, Hay said.