Nexus devices

Google's automated over-the-air (OTA) update system has plugged a "high-risk" vulnerability that affected the Android bootloader on Nexus smartphones.

According to a report released today by IBM, this particular vulnerability allowed an attacker to reboot devices and initiate a custom boot configuration that activated various USB and debug interfaces that allowed an attacker to take control over various device features.

Attacks can be carried out via PC malware, malicious phone chargers

The entry point for these attacks can be malware installed on the user's PC or a malicious phone charger, but the victim must have the Android Debug Bridge (ADB) enabled on his device.

Despite this, IBM researchers say that the attacker can lay hidden and expect a moment when the user turns on ADB and spring his attack then.

This particular vulnerability, tracked as CVE-2016-8467, affects only Nexus 6 and Nexus 6P handsets and is triggered when the PC/charger malware sends commands to the phone's ADB, telling it to update the boot mode.

Attackers can intercept calls, track GPS on Nexus 6 devices

According to IBM's Roee Hay, the vulnerability can be used in different ways. For example, on Nexus 6 devices, the vulnerability allows attackers to turn on a USB interface that provides access to the phone's modem component.

This component handles voice calls and will let the attacker intercept private conversations. Additionally, the modem also controls all the user's web traffic through his mobile connection, which the attacker can also collect.

Last but not least, the same modem allows attackers to track the user's position by extracting GPS coordinates, and alter nonvolatile (NV) items or the phone's EFS partition.

Attacker can send or intercept SMS messages on Nexus 6P devices

On Nexus 6P devices attackers can't access the smartphone's modem diagnostics USB component. Nevertheless, researchers say that an attacker can use the same CVE-2016-8467 vulnerability to attack Nexus 6P devices, where they can turn on the modem AT interface.

This interface allows attackers to send AT commands to the phone's modem, that in turn allow the attacker to send or intercept SMS messages.

Hay argues that CVE-2016-8467 would allow PC malware to reconfigure the boot sequence, alter phone settings via the debug interfaces or even deliver exploits that root the device and install malware behind the user's back, all in a matter of seconds.

Besides the possibility of using PC malware and malicious phone chargers, Hay said that an attacker with physical access to the device could take a Nexus phone, reboot it in fastboot mode, select BP-Tools or Factory, and then run the same commands the malware would run to achieve the same result.

Issues fixed as of Tuesday, January 3, 2017

IBM researchers notified Google of this issue last fall, and Google has released fixes to Nexus devices in the Android Security Bulletin for November 2016 (Nexus 6 devices) and January 2017 (Nexus 6P).

Because Google delivers security updates itself to all Nexus devices and doesn't rely on lazy mobile carriers, users only need to approve the latest Android update to be protected.

The first versions of the Android bootloader protected against CVE-2016-8467 are 71.22 for Nexus 6 and 03.64 for Nexus 6P.