A vulnerability recently addressed in Google’s January 2017 Android security bulletin was a denial of service (DoS) flaw in the bootloader, which could be exploited to target Nexus 6 and 6P custom boot modes, IBM security researchers reveal.
Tracked as CVE-2016-8467 and discovered by Roee Hay and Michael Goberman of IBM Security X-Force, the vulnerability allows an attacker to use either PC malware or malicious chargers to reboot the targeted smartphone and then implement a special boot configuration, or boot mode. Thus, the attacker can instruct Android to turn on various extra USB interfaces, the security researchers explain.
In the security advisory published on Tuesday to detail the new set of patches, Google explains that the denial of service vulnerability could “enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device.”
What’s more, Google also refers to this flaw as an Elevation of privilege (EoP) issue, explaining that it “could enable a local attacker to execute arbitrary modem commands on the device.” While the DoS issue is considered High risk, because there is a possibility that the device would be permanently damaged, the EoP bug is rated as Moderate because it is a local bypass of user interaction requirements.
According to IBM, one of the extra USB interfaces that an attacker could enable is the modem diagnostics interface, which would provide access to additional functionalities and allow the attacker to take over the Nexus 6 modem, “thus compromising confidentiality and integrity.” The attacker would be able, among others, to intercept phone calls, the security researchers say.
Provided that Android Debug Bridge (ADB) is enabled on the device, the attacker can use PC malware or a malicious charger to boot the Nexus 6/6P device with the special boot mode configuration. As soon as the computer or charger is authorized on the device, an operation that requires interaction from the user, the attacker can simply issue a series of commands to reboot the device with the special boot where the interfaces are enabled.
“Every future boot from this point forward will have the boot mode configuration enabled. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access. Therefore, the attacker only needs the victim to enable ADB once. Moreover, a lucky attacker might wait for the device to be in fastboot mode, which requires no authorization from the victim. This, however, is less likely,” the security researchers explain.
An attacker with physical access to the device can also reboot it into the fastboot mode and then select BP-Tools or Factory to change the boot mode configuration, IBM explains.
On Nexus 6P, the modem diagnostics are disabled in the modem’s firmware, making the vulnerability less impactful. However, the attacker could access other USB interfaces, such as the modem AT interface, which would allow them to send or eavesdrop on SMS messages and potentially bypass two-factor authentication, researchers say. Access to phone call information would also be available, along with the option to change various radio settings.
“The vulnerability in 6P enables the ADB interface even if it was disabled in the developer settings user interface (UI). With access to an ADB-authorized PC, a physical attacker could open an ADB session with the device and cause the ADB host running under the victim’s PC to RSA-sign the ADB authentication token even if the PC is locked,” IBM explains.
If used in such a way, the ADB connection could enable the attacker to install malware on the device, or to use PC malware to exploit CVE-2016-8467 to enable ADB and install Android malware. For the PC malware to be effective, however, the victim would have to place the device in the fastboot mode.
“Google assigned a high level of severity to CVE-2016-8467 and mitigated it by forbidding a locked bootloader to boot with the dangerous boot modes. The first secure bootloader version of Nexus 6 is 71.22, released in the November 2016 Android Security Bulletin. The first secure bootloader version of Nexus 6P is 03.64, which was released as part of the January 2017 bulletin,” IBM notes.
Another suspicious USB interface enabled in Nexus 6 when booted with the custom boot mode was found to allow for some exfiltration of network traffic. The security researchers also found a vulnerability in the f_usbnet driver itself, where “4–5 bytes of uninitialized kernel data are padded to every Ethernet frame carried over USB.”
Identified as CVE-2016-6678, the bug was patched in October 2016. According to IBM researchers, the leak could contain sensitive data and allow cybercriminals to exploit the system.