Google’s Android security team has patched a vulnerability that left Nexus 5X devices open to attack even if the phone’s screen was locked. The vulnerability in Google’s line of phones would have allowed an adversary to exfiltrate data from the targeted phone via a forced memory dump of the device. Researchers at IBM’s X-Force Application Security Research Team discovered the flaw several months ago and worked with Google on a patch that was deployed recently. Disclosure of the vulnerability was shared by IBM’s X-Force team on Thursday.
According to X-Force, the vulnerability was “undocumented” and is tied to LG manufactured Nexus 5X’s Android running OS images 6.0 MDA39E through 6.0.1 MMB29V or running bootloaders bhz10i/k. Researchers said it is unaware of known public exploits of this vulnerability. “The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked,” according Roee Hay, application security research team leader at X-Force. Using Android OS developer tools, attackers can sift through memory dump data and retrieve the device’s lock-screen password. The forced memory dump data was accomplished either via physical or nonphysical access to the Nexus 5X phones via an Android Debug Bridge (ADB), which is a command line tool used by Android developers to communicate with USB connected Android devices. An adversary would leverage Android’s ADB function to execute a “fastboot oem panic” command. This opens the door for an attacker to cause the Android “bootloader to expose a serial-over-USB connection, which would allow an attacker to obtain a full memory dump of the device using tools such as QPST Configuration,” Hay explains in a post detailing the vulnerability. The resulting memory dump of files would then be available for local (USB attached PC) retrieval. With physical access to the locked Nexus phone, an attacker would first press the device’s volume down button during device boot which puts the phone into “fastboot mode.” This step does not require user authentication and opens up access to the phone via the Android OS’ USB interface. Next, an attacker would then be able issue a “fastboot oem panic” command via the “fastboot mode” USB interface and the bootloader would be forced to crash and cause a full memory dump of the device’s data. Now an attacker could use the developer tool QPST Configuration to access memory dump data, according to Hay. Within that memory dump data is the device’s password in cleartext. “The password can be found on the fetched memory dump. Physical attackers can then successfully boot the platform, which further allows them to impersonate the user, access data stored on the device and more,” Hay said. An adversary without physical access to the targeted Nexus 5X devices is a bit more complicated, requiring an attacker to gain ADB access by infecting an ADB-authorized developer’s PC with malware, according to X-Force researchers. Another attack vector for remote exfiltration could be using a malicious charger that targets ADB-enabled devices, according to X-Force.