Google patches critical bug on Android Nexus 5X devices

The vulnerability, which Google has patched, could let attackers obtain the password for locked Nexus 5X devices and easily access device contents

Google's Android security team patched a critical vulnerability in the company's Nexus 5X devices which would have let attackers bypass the lockscreen. An attacker who successfully triggered the vulnerability would be able to obtain data stored on the device via a forced memory dump, according to researchers from the IBM's X-Force team.

An attacker with physical access to the device can easily steal data or perform other malicious activities. The most common recommendation to protect the device in case it falls into malicious hands is to lock the device with a strong passphrase, which requires the attacker to brute-force the lock before being able to do anything.

However, IBM X-Force researchers discovered an "undocumented" vulnerability in LG's Nexus 5X devices which would let attackers obtain the password to unlock the screen, which would have rendered the lockscreen advice worthless.

"The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked," wrote Roee Hay, application security research team leader at X-Force, in a post on the Security Intelligence blog disclosing the patched vulnerability. "Clearly such an ability would have been very appealing to thieves."

The flaw affects Nexus 5X devices with the operating system images 6.0 MDA39E to 6.0.1 MMB29V or running botloaders bhz10i/k. The first "non-vulnerable version" is MHC19J (bootloader bhz10m) released in March, according to IBM. There are currently no reports of exploits targeting this vulnerability in the wild.

Non-Nexus 5X users appear to be unaffected. Google has addressed the vulnerability, and affected Nexus 5X should already have the fix. For once, it seems like not having the Nexus was the safer option.

Deceptively simple to execute

The attack relies on the Android Debug Bridge, a command-line tool used by Android developers to communicate with USB-connected Android devices. The attacker with physical access to the locked Nexus 5X would press the volume down button during device boot to enter fastboot mode, X-Force noted in its disclosure. This step doesn't require user authentication and uses ADB to access the device over USB. Typically, the fastboot mode doesn't allow any security-sensitive operation to execute on locked devices.

However, executing the fastboot oem panic command in fastboot mode over USB forces the Android bootloader to crash and "expose a serial-over-USB connection," researchers found. The attacker can obtain a full memory dump using Android OS developer tools such as QPST Configuration.

Somewhere in the memory dump is the device's lockscreen password in cleartext, which gives attacker the key to unlocking the device.

"The password can be found on the fetched memory dump. Physical attackers can then successfully boot the platform, which further allows them to impersonate the user, access data stored on the device and more," Hay said.

An attacker can still exploit the vulnerability even without having physical access to the device, by either infecting a developer's PC with malware or compromising a charging station. In the latter case, if a vulnerable Nexus connects to the compromised charging station, the user would have to authorize the charger once connected. At that point, the malicious code would issue the adb reboot bootloader command to target ADB while charging.

It's not clear at this point if the vulnerability was in LG's hardware, the way Android interacts with LG, or in Android itself. At the moment, the issue appears to be restricted to only the Nexus 5X devices with the specified Android images. But it reinforces the importance of having good security habits. Yes, turn on the screen lock.

This vulnerability is not an excuse to say "what's the point?" and stop locking the device. Don't get complacent, though. Instead of assuming that enabling the lockscreen is sufficient, continue being careful about where the device is so that it doesn't fall into wrong hands. Enable the remote wipe feature on Android so that if lost, the data saved on the device gets erased.

Good thing it was in the Nexus

Since Google handles the Android update cycle for Nexus devices directly and does not have to rely on manufacturers or carriers to prepare the patches, most Nexus 5X users will receive, or have already received. It's a good thing Google patched this vulnerability, but the issue again highlights the biggest problem with the Android ecosystem.

Thank goodness the flaw was in the Nexus 5X -- if IBM had uncovered the flaw in a non-Nexus device, Google would have patched the flaw as part of its Android Security Bulletin, but the fixes would have languished in carrier and manufacturer limbo. A year ago, when Google started releasing security fixes for Android on a monthly schedule, several mobile device manufacturers pledged to roll out the updates to users on a regular basis. The sad reality is that hasn't happened consistently across models, nor in a timely manner, for most devices in users' hands.

Only Nexus users or users updating their own devices with custom Android distributions (such as CyanogenMod) are the only ones benefiting from the Android Security Bulletins. It's a sad state of insecurity if we have to hope for a flaw such as this Nexus 5X vulnerability to be found across more devices and brands in order to finally get the Android update problem fixed once and for all.

Join the PC World newsletter!

Error: Please check your email address.

Tags Google

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fahmida Y. Rashid

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?