Google has fixed a bug affecting the Nexus 5X that allowed an attacker to extract information from a device, even if it was locked.

The bug in the Nexus 5 Android image allowed an attacker to retrieve the device's password from a memory dump of the handset.


Google has patched a bug affecting Nexus 5X phones that could have exposed information stored on handsets, even if they were passcode-protected.

The security flaw was reported by IBM's X-Force security team, which said the vulnerability would have allowed an attacker to obtain a full memory dump via Android Debug Bridge (ADB), a command-line tool for PCs that developers can use with a USB-connected Android device.

IBM said the bug, which affects older versions of Nexus 5X's Android images, was "rather straightforward" to exploit and was due to a flaw in the fastboot USB interface.

"The vulnerability would have permitted an attacker to obtain a full memory dump of the Nexus 5X device, allowing sensitive information to be exfiltrated from the device without it being unlocked," IBM notes.

Under one method for exploiting the bug where the attacker didn't have physical access to the device, the hacker would first infect an ADB-authorized developer's PC with malware.

An alternative approach would have been to plug a handset into a malicious charger, although this approach would only be successful against devices that had enabled ADB. Also, the target would have needed to authorize the malicious charger after it was connected.

"The attacker reboots the phone into fastboot mode, which can be done without any authentication. A physical attacker can do this by pressing the volume-down button during device boot. An attacker with ADB access can do this by issuing the adb reboot bootloader command," IBM explained.

The fastboot mode exposed a USB interface, which in turn allowed the attacker to issue a command to crash the bootloader. In vulnerable versions of the bootloader, this crash would expose a connection that enabled the attacker to get a full memory dump of the device.

IBM also found that due to the bug in the bootloader, the attacker would be able to retrieve the device's password from the memory dump, allowing for further attacks.