A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and 6P model handsets open to denial of service and elevation of privilege attacks.
According to IBM’s X-Force Application Security Research Team, the vulnerability (CVE-2016-8467) allows an attacker to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces.
Those interfaces, according to Roee Hay and Michael Goberman, co-authors of the report, can be used by the attacker to gain access to the phone’s modem diagnostics interface where the adversary can manipulate functionality of the modem.
Most likely vectors for this type attack, Hay said, is via a USB cord that connects a Nexus device to a PC infected with malware, a physical attacker gains access to the device, or when a phone is plugged into a malicious charger designed to perform a so-called juice-jacking attack.
Triggering the Android vulnerability isn’t difficult, according to X-Force. “The PC malware or malicious charger can boot the Nexus 6/6P device with the special boot mode configuration if Android Debug Bridge (ADB) is enabled on the device… Once connected, the victim must authorize the PC or charger on the device if it wasn’t permanently authorized before the attack,” Hay and Goberman wrote.
Next, the attackers can issue four commands (see right) to reboot the device with the special boot mode that enables access to the advanced modem interface. “Every future boot from this point forward will have the boot mode configuration enabled. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access,” according to the researchers.
When asked if a wider range of Android devices are vulnerable to these type attacks, IBM said tests were limited to the Nexus family of devices. Neither Samsung nor LG‘s January security bulletins list the (CVE-2016-8467) vulnerability highlighted in the X-force report.
Once attackers gain access to the modem’s diagnostic settings they can be rejiggered to allow for the interception of Long-Term Evolution (LTE) data. With that type of access, adversaries can intercept phone calls, find the exact GPS coordinates of devices, place phone calls, steal call information and access or change nonvolatile items or the EFS partition, X-Force wrote in its report.
While this vulnerability impacts Nexus 6, other 6P models are affected to a lesser degree because the modem diagnostics are disabled in the modem’s firmware, which prohibits the nefarious activities, according to X-Force. However, X-Force said, the vulnerability in 6P enables the Android Debug Bridge interface even if it was disabled in the developer settings user interface.
“With access to an ADB-authorized PC, a physical attacker could open an ADB session with the device and cause the ADB host running under the victim’s PC to RSA-sign the ADB authentication token even if the PC is locked,” according to X-Force. “Such an ADB connection would enable an attacker to install malware on the device.”
Researchers also warned of additional USB interfaces that attackers can access, such as the modem AT interface – also vulnerable in Nexus 6. “By accessing that interface, an attacker can send or eavesdrop on SMS messages and potentially bypass two-factor authentication,” Hay and Goberman wrote.
According to Google, the vulnerability in the bootloader could enable both a denial of service condition and an elevation of privilege attack. In the case of the elevation of privilege attack, the threat is only rated as moderate “because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).”
In their report Hay and Goberman also explain a second, less severe, vulnerability (CVE-2016-6678) impacting Nexus P, 6P models. The flaw is in the Motorola USBNet driver that could enable a local malicious application to access data outside of its permission levels. The issue was rated as moderate in the October Android Security Bulletin because it first requires compromising a privileged process, according to the Google bulletin.