January’s security patch contained about the usual number of fixes that Google puts into a monthly patch, but Google included a fix for a particularly nasty bug on the Nexus 6 and Nexus 6P that, while it required physical access to the device and a computer, could seriously compromise a phone. Vulnerabilities that require complicated setup are often the worst, and this one is no exception. Though an attacker would have to have had things planned far in advance and have access to the device in question, once the attack was perpetrated, the attacker could listen on phone calls, intercept data traffic, bypass two-factor SMS verification, and even mess around with the phone’s file system and firmware. Essentially, the bug imparted absolute control of the device, if an attacker was creative and willing to use some workarounds.
To be clear, the bug only affected the Nexus 6 and Nexus 6P, and in varying capacities. While the Nexus 6 was more vulnerable and cooperated fully with the hack, the Nexus 6P would disable the firmware upon detecting a compromised modem, requiring a lot of additional work to keep from simply bricking a victim’s phone and not gleaning any useful data from it. The kicker is that the bug required a compromised PC. The bug works over ADB, and can break into a phone’s bootloader. If the “Enable USB Debugging” option in Developer Settings isn’t checked, the bug will fizzle out, but the right program on the attacker’s computer could use a deep system-level exploit with MTP to crack it open.
While most users wouldn’t have to worry about such a bug, this is a sigh of relief for those who may end up leaving their phone around, or enterprise overlords whose employees may have to use their phones to transfer data back and forth; after all, being heavily encrypted, pretty secure, and easy to carry makes a modern Android phone, especially a Nexus, a rather appealing way to physically carry privileged data, so long as measures are taken to secure it on the go. Having the device infected with a bug like this by somebody at the destination point could spell serious corporate espionage, among other troubles. In any case, those with any other device don’t have to worry, and those with the Nexus 6 and Nexus 6P should keep their devices close at hand and not plug them into any unfamiliar computers until they’ve gotten their hands on the January security patch.