Google's Android security team patched a critical vulnerability in the company's Nexus 5X devices which would have let attackers bypass the lockscreen. An attacker who successfully triggered the vulnerability would be able to obtain data stored on the device via a forced memory dump, according to researchers from the IBM's X-Force team.
An attacker with physical access to the device can easily steal data or perform other malicious activities. The most common recommendation to protect the device in case it falls into malicious hands is to lock the device with a strong passphrase, which requires the attacker to brute-force the lock before being able to do anything.
However, IBM X-Force researchers discovered an "undocumented" vulnerability in LG's Nexus 5X devices which would let attackers obtain the password to unlock the screen, which would have rendered the lockscreen advice worthless.
"The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked," wrote Roee Hay, application security research team leader at X-Force, in a post on the Security Intelligence blog disclosing the patched vulnerability. "Clearly such an ability would have been very appealing to thieves."
The flaw affects Nexus 5X devices with the operating system images 6.0 MDA39E to 6.0.1 MMB29V or running botloaders bhz10i/k. The first "non-vulnerable version" is MHC19J (bootloader bhz10m) released in March, according to IBM. There are currently no reports of exploits targeting this vulnerability in the wild.
Non-Nexus 5X users appear to be unaffected. Google has addressed the vulnerability, and affected Nexus 5X should already have the fix. For once, it seems like not having the Nexus was the safer option.
Deceptively simple to execute
The attack relies on the Android Debug Bridge, a command-line tool used by Android developers to communicate with USB-connected Android devices. The attacker with physical access to the locked Nexus 5X would press the volume down button during device boot to enter fastboot mode, X-Force noted in its disclosure. This step doesn't require user authentication and uses ADB to access the device over USB. Typically, the fastboot mode doesn't allow any security-sensitive operation to execute on locked devices.
However, executing the
fastboot oem panic command in fastboot mode over USB forces the Android bootloader to crash and "expose a serial-over-USB connection," researchers found. The attacker can obtain a full memory dump using Android OS developer tools such as QPST Configuration.
Somewhere in the memory dump is the device's lockscreen password in cleartext, which gives attacker the key to unlocking the device.
Sign up for Computerworld eNewsletters.