Google patches critical bug on Android Nexus 5X devices

The vulnerability, which Google has patched, could let attackers obtain the password for locked Nexus 5X devices and easily access device contents

Google's Android security team patched a critical vulnerability in the company's Nexus 5X devices which would have let attackers bypass the lockscreen. An attacker who successfully triggered the vulnerability would be able to obtain data stored on the device via a forced memory dump, according to researchers from the IBM's X-Force team.

An attacker with physical access to the device can easily steal data or perform other malicious activities. The most common recommendation to protect the device in case it falls into malicious hands is to lock the device with a strong passphrase, which requires the attacker to brute-force the lock before being able to do anything.

However, IBM X-Force researchers discovered an "undocumented" vulnerability in LG's Nexus 5X devices which would let attackers obtain the password to unlock the screen, which would have rendered the lockscreen advice worthless.

"The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked," wrote Roee Hay, application security research team leader at X-Force, in a post on the Security Intelligence blog disclosing the patched vulnerability. "Clearly such an ability would have been very appealing to thieves."

The flaw affects Nexus 5X devices with the operating system images 6.0 MDA39E to 6.0.1 MMB29V or running botloaders bhz10i/k. The first "non-vulnerable version" is MHC19J (bootloader bhz10m) released in March, according to IBM. There are currently no reports of exploits targeting this vulnerability in the wild.

Non-Nexus 5X users appear to be unaffected. Google has addressed the vulnerability, and affected Nexus 5X should already have the fix. For once, it seems like not having the Nexus was the safer option.

Deceptively simple to execute

The attack relies on the Android Debug Bridge, a command-line tool used by Android developers to communicate with USB-connected Android devices. The attacker with physical access to the locked Nexus 5X would press the volume down button during device boot to enter fastboot mode, X-Force noted in its disclosure. This step doesn't require user authentication and uses ADB to access the device over USB. Typically, the fastboot mode doesn't allow any security-sensitive operation to execute on locked devices.

However, executing the fastboot oem panic command in fastboot mode over USB forces the Android bootloader to crash and "expose a serial-over-USB connection," researchers found. The attacker can obtain a full memory dump using Android OS developer tools such as QPST Configuration.

Somewhere in the memory dump is the device's lockscreen password in cleartext, which gives attacker the key to unlocking the device.

"The password can be found on the fetched memory dump. Physical attackers can then successfully boot the platform, which further allows them to impersonate the user, access data stored on the device and more," Hay said.

An attacker can still exploit the vulnerability even without having physical access to the device, by either infecting a developer's PC with malware or compromising a charging station. In the latter case, if a vulnerable Nexus connects to the compromised charging station, the user would have to authorize the charger once connected. At that point, the malicious code would issue the adb reboot bootloader command to target ADB while charging.

It's not clear at this point if the vulnerability was in LG's hardware, the way Android interacts with LG, or in Android itself. At the moment, the issue appears to be restricted to only the Nexus 5X devices with the specified Android images. But it reinforces the importance of having good security habits. Yes, turn on the screen lock.

This vulnerability is not an excuse to say "what's the point?" and stop locking the device. Don't get complacent, though. Instead of assuming that enabling the lockscreen is sufficient, continue being careful about where the device is so that it doesn't fall into wrong hands. Enable the remote wipe feature on Android so that if lost, the data saved on the device gets erased.

Good thing it was in the Nexus

Since Google handles the Android update cycle for Nexus devices directly and does not have to rely on manufacturers or carriers to prepare the patches, most Nexus 5X users will receive, or have already received. It's a good thing Google patched this vulnerability, but the issue again highlights the biggest problem with the Android ecosystem.

Thank goodness the flaw was in the Nexus 5X -- if IBM had uncovered the flaw in a non-Nexus device, Google would have patched the flaw as part of its Android Security Bulletin, but the fixes would have languished in carrier and manufacturer limbo. A year ago, when Google started releasing security fixes for Android on a monthly schedule, several mobile device manufacturers pledged to roll out the updates to users on a regular basis. The sad reality is that hasn't happened consistently across models, nor in a timely manner, for most devices in users' hands.

Only Nexus users or users updating their own devices with custom Android distributions (such as CyanogenMod) are the only ones benefiting from the Android Security Bulletins. It's a sad state of insecurity if we have to hope for a flaw such as this Nexus 5X vulnerability to be found across more devices and brands in order to finally get the Android update problem fixed once and for all.

Join the CSO newsletter!

Error: Please check your email address.

Tags Google

More about GoogleIBMLGX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts