Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Patched Android flaw a potential privacy headache for Nexus 6 and 6P owners

If left unaddressed, a recently patched Android vulnerability affecting Google and Motorola Mobility's Nexus 6 and Nexus 6P phablets can allow attackers to invade device owners' privacy and steal their information, according to an analysis report by IBM's X-Force Application Security Research Team.

In a recent blog post and corresponding report, IBM X-Force reported that adversaries can exploit the high-severity flaw, officially designated CVE-2017-8467, by first using PC malware or malicious chargers to reboot the device and then implementing a special “boot mode” configuration that causes the Android OS to turn on multiple extra USB interfaces. These interfaces, especially the "modem diagnostics" interface, give attackers access to powerful functionalities that essentially let them take over the Nexus 6 modem.

The reboot process is made possible by leveraging a debugging tool called Android Debug Bridge (ADB), which is also used by developers for sideloading Android application packages. Controlling the modem allows bad actors to intercept or place phone calls, sniff mobile data packets, steal call information and determine a device's exact GPS coordinates with detailed satellite information, IBM reported.

The 6P model phone isn't quite as vulnerable because it comes with its modem diagnostics disabled in the firmware. However, there are other available USB interfaces that allow attackers to send or spy on SMS messages and possibly bypass two-factor authentication, the report explains.

IBM X-Force also warned that attackers can use an ADB-authorized PC to open a connected ADB session on the 6P device and subsequently install malware. Google patched the Android flaw, classified as both a denial of service error and an elevation of privilege vulnerability in the bootloader, in its January update. According to Google, the DoS component of the flaw "could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device."

UPDATE 1/13: The IBM X-Force Application Security Research Team also found a privilege vulnerability in the bootloader of OnePlus 3 phones running on the customized Android operating system OxygenOS 4.0.1 and below. According to a Jan. 11 X-Force Exchange platform entry, attacker with direct access to the device or remote access via an ADB connection can reboot the phone and change the SELinux Linux kernel security module settings on devices, allowing the possibility of additional exploitation. IBM researcher Roee Hay is credited with discovering the vulnerability. A Jan. 12 report by XDA developers states that OnePlus has assured an upcoming fix. XDA has reported that OnePlus 3T phones are also affected by the flaw, although these models were not specifically cited in the X-Force Exchange platform entry.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.