Google plugs serious Nexus vulnerability in latest security update

Google’s monthly Android security patches are always imperative for whichever phones are able to get them, but the January bundle is of particular importance to Nexus 6 and 6P owners. As spotted by Ars Tehcnica UK, Googe has plugged a “high-severity” exploit in its latest patch that could allow attackers to listen in on calls and steal data.

Only brought to light last week by IBM’s X-Force Exchange, the vulnerability in the two phone models opens access to hidden USB interfaces. According to the report, “By rebooting the device with custom bootmodes, an attacker could exploit this vulnerability to override a secure USB configuration and gain elevated privileges on the system, cause a local permanent denial of service and exfiltrate sensitive information.” The researchers warned that the exploit could result in “data theft, data destruction, (and) data corruption.”

As Ars Technica UK explains, older Nexus 6 phones were more vulnerable than the 6P, “but (the newer phone’s firmware) could still be used to break into the modem’s AT interface. That interface would let attacks send or eavesdrop on SMS messages and potentially bypass two-factor authentication.” The patch is among numerous high- and critical-severity vulnerabilities that the January update plugs.

The impact on you at home: If you own a Nexus 6 and 6P that has been updated to Nougat, it should automatically install the security patch as soon as it’s available. But whenever major flaws like this pop up, it’s a good idea to exercise some due diligence on whatever phone you’re running, and check to see if it’s up to date. And if your phone is still running Marshmallow, check the settings to see if you can enable automatic security updates.

IDG Insider


« Google wants you to Tango through exhibits at Detroit museum


AMD Ryzen CPUs: 7 all-new details revealed at CES 2017 »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends


Is your organization fully GDPR compliant?