Google recently shut down the boot mode vulnerability in Android that allowed hackers to eavesdrop on calls. Can you explain how this exploit works?
It takes a few steps for the boot mode vulnerability exploit to work. First, the attacker infects a PC with malware through the internet. Then, the attacker waits for the victim to enable Android Debug Bridge (ADB) after manually connecting his Nexus 6 or 6P phone to the infected PC.
ADB is a command-line utility that is included with Google's Android SDK. The victim can use ADB to control his device over USB from a PC, copy files back and forth, and install and uninstall apps -- including fingerprint sensor apps. If the victim is also a developer, he can use it to load Android application packages onto his device.
After the victim enables ADB, the attacker installs PC malware on the device. Then, the PC malware waits for the victim to boot up and place the device in fastboot mode to exploit an elevation of privilege vulnerability in the bootloader.
This severe boot mode vulnerability allows an attacker to execute modem commands on the device. By turning on extra USB interfaces, the attacker can eavesdrop on calls, intercept data packets and get the GPS coordinates of where the calls were made.
Even when the victim disables the ADB, the attacker can access a locked PC and open an ADB session with the device. This causes the ADB host to run through the victim's PC.
Although the newer 6P phone had its modem diagnostics disabled in the firmware, the attacker can still seize control of the modem interfaces. The attacker can use the interfaces to send or eavesdrop on SMS messages and, possibly, to bypass two-factor authentication.
The Android boot mode vulnerability was patched by Google earlier this year, so it shouldn't affect most enterprise users as long as they regularly update their devices.
A second, more moderate boot mode vulnerability (CVE-2016-6678) pointed to the Motorola USBNet driver, which enabled a malicious application to allow the attacker to grab data in both Nexus phones. Google patched this moderate vulnerability in October.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how the Mazar malware takes control of Android devices
Discover what you need to know about signatureless malware detection
Learn about another Android malware, Pegasus
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading