Hacker stole your phone? Time to OEM panic.
Google has patched a bypass hole in Nexus 5X devices that allowed attackers to dump memory from locked phones.
IBM X-Force research lead Roee Hay says exploiting the flaw was simple and required a device be put into fastboot mode.
“The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked.
“The vulnerability and its exploitation are rather straightforward.
“Clearly such an ability would have been very appealing to thieves.”
Vulnerable phones would crash when attackers entered an oem panic command using the ADB interface.
That interface is used for a variety of legitimate operations including flashing custom ROMs and recoveries.
The crash state would expose a serial-over-USB connection allowing attackers to grab a full memory dump.
The scope of the attack is restricted by the need for attackers to be in possession of a physical device removing it as an opportunity for ordinary malware writers.
Pub thieves probably won’t benefit from the attack, which requires some chops to execute, but dedicated phone-filchers probably know how to access recovery mode in order to factory reset stolen phones. ®