<--

Google Nexus 6/6P Custom Boot Modes USB Configs Override

Aleph Research Advisory

Identifier

Severity

High

Products

  1. Nexus 6P
  2. Nexus 6

Vulnerable Versions

  1. Nexus 6 before the January 2017 security patches
  2. Nexus 6P before the January 2017 security patches

Technical Details

The adversary can change the androidboot.mode kernel command line argument which eventually causes Android to enable hidden USB interfaces with extra functionality. It turns out that under the Nexus 6P/6 device’s fastboot UI (which an unauthenticated physical attacker can boot into), two proprietary menu items exist. These menu items instruct, even on a locked bootloader, to change the androidboot.mode argument to either bp-tools or hw/mot-factory. An attacker with ADB access, such as PC malware or a malicious charger connected to an ADB-enabled device, can also change the bootmode permanently, by issuing the following commands:

adb reboot bootloader
fastboot oem config bootmode bp-tools (N6)
fastboot oem bp-tools-on (N6, option 2)
fastboot oem enable-bp-tools (N6P)
fastboot reboot

Similarly, in order to boot with hw/mot-factory, the attacker can issue:

adb reboot bootloader
fastboot oem config bootmode factory (N6)
fastboot oem enable-hw-factory (N6P)
fastboot reboot

Timeline

Posts

Credit