Google Patches Android Custom Boot Mode Vulnerability

A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and P6 model handsets open to denial of service and elevation of privilege attacks.
According to IBM’s X-Force Application Security Research Team, the vulnerability (CVE-2016-8467) allows an attacker to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces.
Related Posts
Those interfaces, according to Roee Hay and Michael Goberman, co-authors of the report, can be used by the attacker to gain access to the phone’s modem diagnostics interface where the adversary can manipulate functionality of the modem.
Most likely vectors for this type attack, Hay said, is via a USB cord that connects a Nexus device to a PC infected with malware, a physical attacker gains access to the device, or when a phone is plugged into a malicious charger designed to perform a so-called juice-jacking attack.
Triggering the Android vulnerability isn’t difficult, according to X-Force. “The PC malware or malicious charger can boot the Nexus 6/6P device with the special boot mode configuration if Android Debug Bridge (ADB) is enabled on the device… Once connected, the victim must authorize the PC or charger on the device if it wasn’t permanently authorized before the attack,” Hay and Goberman wrote.
Next, the attackers can issue four commands (see right) to reboot the device with the special boot mode that enables access to the advanced modem interface. “Every future boot from this point forward will have the boot mode configuration enabled. This means the attack is persistent and no longer requires ADB to run, although it still requires USB access,” according to the researchers.
When asked if a wider range of Android devices are vulnerable to these type attacks, IBM said tests were limited to the Nexus family of devices. Neither Samsung nor LG‘s January security bulletins list the (CVE-2016-8467) vulnerability highlighted in the X-force report.
Once attackers gain access to the modem’s diagnostic settings they can be rejiggered to allow for the interception of Long-Term Evolution (LTE) data. With that type of access, adversaries can intercept phone calls, find the exact GPS coordinates of devices, place phone calls, steal call information and access or change nonvolatile items or the EFS partition, X-Force wrote in its report.
While this vulnerability impacts Nexus 6, other P6 models are affected to a lesser degree because the modem diagnostics are disabled in the modem’s firmware, which prohibits the nefarious activities, according to X-Force. However, X-Force said, the vulnerability in 6P enables the Android Debug Bridge interface even if it was disabled in the developer settings user interface.
“With access to an ADB-authorized PC, a physical attacker could open an ADB session with the device and cause the ADB host running under the victim’s PC to RSA-sign the ADB authentication token even if the PC is locked,” according to X-Force. “Such an ADB connection would enable an attacker to install malware on the device.”
Researchers also warned of additional USB interfaces that attackers can access, such as the modem AT interface – also vulnerable in Nexus 6. “By accessing that interface, an attacker can send or eavesdrop on SMS messages and potentially bypass two-factor authentication,” Hay and Goberman wrote.
According to Google, the vulnerability in the bootloader could enable both a denial of service condition and an elevation of privilege attack. In the case of the elevation of privilege attack, the threat is only rated as moderate “because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission).”
免费注册信息系统安全师CISSP在线培训
老外喜欢故意扔些特制的U盘,让人们捡拾过去,进而监控插上它们的电脑,更怪异的是恐怖份子竟然不会使用邮件加密技术,或者说监管机构有解密的超级工具。
In their report Hay and Goberman also explain a second, less severe, vulnerability (CVE-2016-6678) impacting Nexus P, P6 models. The flaw is in the Motorola USBNet driver that could enable a local malicious application to access data outside of its permission levels. The issue was rated as moderate in the October Android Security Bulletin because it first requires compromising a privileged process, according to the Google bulletin.
谁应该为保护关键的数据负责呢?我们让经理们和一线员工们讨论这个严肃的问题,通过这些讨论,我们让安全成为管理层进行业务规划时必须考虑的事项,也让每位员工认识到信息安全的重要性,进而将安全理念应用于实际工作之中。

猜您喜欢

恒昌惠诚公司持续深耕信息安全建设
电子邮件安全意识仍然很重要
中国企业走出去,我们助力国际化人才的培训:
成都抽检21批胶带捆绑蔬菜 均未检出有甲醛残留量
MEDICALDEVICESTORE MEDIGUARD
一分钟快速了解基础信息安全理念