On 6 devices, attackers can eavesdrop on communications including phone calls and SMS, while modem restrictions on the still current 6p model restrict attackers to stealing text messages.
The vulnerability was part of a cluster of security holes found by security researchers at IBM's X-Force all related to a flaw-tagged CVE-2016-8467-in the phones' boot mode, which uses malware-infected PCs and malicious power chargers to access hidden USB interfaces.
"Furthermore, this level of access to the Nexus 6 modem allows attackers to find the exact Global Positioning System coordinates with detailed satellite information, place phone calls, steal call information and access or change nonvolatile items or the EFS partition", says Roee Hay and Michael Goberman of IBM's X-Force application security research team.
Details have emerged on one of the high-risk vulnerabilities that Google patched in last week's Android Nougat update, a bug that could allow an attacker to force a phone into a special boot mode that then gives him access to extra functionality and the ability to intercept calls and take other actions.
It was complex to activate, requiring the victim to have Android Debug Bridge (ADB) enabled on their devices a debugging mode used by developers to load APKs onto Android phones and to have manually authorized ADB connectivity with the infected PC or charger.
In particular, the Nexus 6 the modem diagnostics interface is of concern as accessing this platform gives attackers access to the modem, which compromises "confidentiality and integrity", the team says. They could also access or change items in the EFS partition, which contains information like the IMEI number, serial number or the phone's product code. Once connected, the user is forced to accept the PC or charger permanently, a few commands are issued, and the device is rebooted.
"Every future boot from this point forward will have the boot mode configuration enabled", IBM says.
"Therefore, the attacker only needs the victim to enable ADB once", the researchers added.
Attackers with a victim device in their hand can boot Nexus devices into fast boot and choose BP-Tools or Factory. PC malware on an ADB-authorized machine might also exploit CVE-2016-8467 to enable ADB and install Android malware.
"Such an ADB connection would enable an attacker to install malware on the device".
As Ars Technica UK explains, older Nexus 6 phones were more vulnerable than the 6P, "but (the newer phone's firmware) could still be used to break into the modem's AT interface".
Google has capped a risky but somewhat obscure boot mode vulnerability that allowed infected PCs and chargers to put top end Nexus phones into denial of service states. Google flagged this as "moderate severity", and patched it in October.
'Tree man' with bark for hands CURED after 16th surgery
Bajandar initially thought the warts were harmless, but they eventually covered his hands and feet, forcing him to stop working. I just want to be able to hold my daughter properly and hug her", he said in an interview previous year .