Google's Android security team patched a critical vulnerability in the company's Nexus 5X devices which would have let attackers bypass the lockscreen. An attacker who successfully triggered the vulnerability would be able to obtain data stored on the device via a forced memory dump, according to researchers from the IBM's X-Force team.
An attacker with physical access to the device can easily steal data or perform other malicious activities. The most common recommendation to protect the device in case it falls into malicious hands is to lock the device with a strong passphrase, which requires the attacker to brute-force the lock before being able to do anything.
However, IBM X-Force researchers discovered an "undocumented" vulnerability in LG's Nexus 5X devices which would let attackers obtain the password to unlock the screen, which would have rendered the lockscreen advice worthless.
"The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked," wrote Roee Hay, application security research team leader at X-Force, in a post on the Security Intelligence blog disclosing the patched vulnerability. "Clearly such an ability would have been very appealing to thieves."
The flaw affects Nexus 5X devices with the operating system images 6.0 MDA39E to 6.0.1 MMB29V or running botloaders bhz10i/k. The first "non-vulnerable version" is MHC19J (bootloader bhz10m) released in March, according to IBM. There are currently no reports of exploits targeting this vulnerability in the wild.
Non-Nexus 5X users appear to be unaffected. Google has addressed the vulnerability, and affected Nexus 5X should already have the fix. For once, it seems like not having the Nexus was the safer option.
Deceptively simple to execute
The attack relies on the Android Debug Bridge, a command-line tool used by Android developers to communicate with USB-connected Android devices. The attacker with physical access to the locked Nexus 5X would press the volume down button during device boot to enter fastboot mode, X-Force noted in its disclosure. This step doesn't require user authentication and uses ADB to access the device over USB. Typically, the fastboot mode doesn't allow any security-sensitive operation to execute on locked devices.
However, executing the
fastboot oem panic command in fastboot mode over USB forces the Android bootloader to crash and "expose a serial-over-USB connection," researchers found. The attacker can obtain a full memory dump using Android OS developer tools such as QPST Configuration.
Somewhere in the memory dump is the device's lockscreen password in cleartext, which gives attacker the key to unlocking the device.
"The password can be found on the fetched memory dump. Physical attackers can then successfully boot the platform, which further allows them to impersonate the user, access data stored on the device and more," Hay said.
An attacker can still exploit the vulnerability even without having physical access to the device, by either infecting a developer's PC with malware or compromising a charging station. In the latter case, if a vulnerable Nexus connects to the compromised charging station, the user would have to authorize the charger once connected. At that point, the malicious code would issue the
adb reboot bootloader command to target ADB while charging.
It's not clear at this point if the vulnerability was in LG's hardware, the way Android interacts with LG, or in Android itself. At the moment, the issue appears to be restricted to only the Nexus 5X devices with the specified Android images. But it reinforces the importance of having good security habits. Yes, turn on the screen lock.
This vulnerability is not an excuse to say "what's the point?" and stop locking the device. Don't get complacent, though. Instead of assuming that enabling the lockscreen is sufficient, continue being careful about where the device is so that it doesn't fall into wrong hands. Enable the remote wipe feature on Android so that if lost, the data saved on the device gets erased.
Good thing it was in the Nexus
Since Google handles the Android update cycle for Nexus devices directly and does not have to rely on manufacturers or carriers to prepare the patches, most Nexus 5X users will receive, or have already received. It's a good thing Google patched this vulnerability, but the issue again highlights the biggest problem with the Android ecosystem.
Thank goodness the flaw was in the Nexus 5X -- if IBM had uncovered the flaw in a non-Nexus device, Google would have patched the flaw as part of its Android Security Bulletin, but the fixes would have languished in carrier and manufacturer limbo. A year ago, when Google started releasing security fixes for Android on a monthly schedule, several mobile device manufacturers pledged to roll out the updates to users on a regular basis. The sad reality is that hasn't happened consistently across models, nor in a timely manner, for most devices in users' hands.
Only Nexus users or users updating their own devices with custom Android distributions (such as CyanogenMod) are the only ones benefiting from the Android Security Bulletins. It's a sad state of insecurity if we have to hope for a flaw such as this Nexus 5X vulnerability to be found across more devices and brands in order to finally get the Android update problem fixed once and for all.