Google Patches Android Custom Boot Mode Vulnerability

A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and P6 model handsets open to denial of service and elevation of privilege attacks.

According to IBM’s X-Force Application Security Research Team, the vulnerability (CVE-2016-8467) allows an attacker to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces.

Those interfaces, according to Roee Hay and Michael Goberman, co-authors of the report, can be used by the attacker to gain access to the phone’s modem diagnostics interface where the adversary can manipulate functionality of the modem.

Source: Threatpost