Google Released January Security Update With A Fix For a Nexus Vulnerability
Recently, there was discovered a “high-security vulnerability” that affected the Nexus 6 and Nexus 6P and Google brought a fix for it in the latest monthly Android security patch. The exploit patched in this January bundle could allow attackers to intercept ongoing phone calls, and therefore, to steal data.
The vulnerability was revealed last week by IBM’s X-Force Exchange and it seems that it affects only the two Nexus models, opening access to hidden USB interfaces. It seems that “By rebooting the device with custom bootmodes, an attacker could exploit this vulnerability to override a secure USB configuration and gain elevated privileges on the system, cause a local permanent denial of service and exfiltrate sensitive information.” In the report, the researchers have also warned that the exploited vulnerability could result in “data theft, data destruction, (and) data corruption.”
According to Ars Technica UK, the Nexus 6P is less vulnerable than older Nexus 6 phone, “but (the newer phone’s firmware) could still be used to break into the modem’s AT interface. That interface would let attacks send or eavesdrop on SMS messages and potentially bypass two-factor authentication.”
In total, there have been fixed 95 vulnerabilities of which 23 bugs have been fixed with 2017-01-01 patch. The rest of bugs have been fixed under 2017-01-05 patch. Google already informed its OEM partners about these issues on December 5 and the source code patches has been released to the Android Open Source Project.
It’s mandatory to download the January update, if you don’t want to fall victim to data theft. If you’ve already updated your Nexus 6 or Nexus 6P to Android Nougat, the security patch will be automatically installed on your device as soon as it’s available. However, if your phone still runs on Marshmallow, you should enable automatic security updates by going to your device’s Settings.
If you’re encountering other issues, feel free to contact Google.