In their recent series of updates, Google has addressed a new set of patches which can make the Nexus 9 devices vulnerable to malicious headphones, reveals the team of security researchers.
This vulnerability was tracked as CVE-2017-0510 and it is rated as a critical severity security flaw. This security flaw is described as an extension of the privilege vulnerability code inside the kernel FIQ debugger which “can enable a local malicious application to execute the arbitrary code within context of the kernel.” This issue can lead to a permanent compromise of local devices, and thus leaving the users only one option to repair the device: reflashing the operating system.
This bug was found by the Aleph Research, an ex-IBM X-Force researchers team. Despite unusual attack vector, this team is also able to leak stack canaries, derandomize the ASLR (address space layout randomization), conduct a factory reset, and even access the HBOOT, which allowed these people to communicate with internal System-on-Chips (SoCs).
The author explained clearly in a blog post , Aleph Research explains that attacks via multiplexed connectors were initially detailed in a BlackHat 2013 paper that focused mainly on USB ports and only briefly mentioned audio connectors. At the time, Nexus 4 was found to include a “TTL UART interface hidden in its headphone jack, a functionality which is enabled if the voltage on the MIC pin exceeds some threshold,” with all Nexus devices (Pixel too) known to have the functionality nowadays.
Researchers discovered that the FIQ (Fast Interrupt Request) Debugger could be accessed on Nexus 9, although without a shell on production builds. Hay notes that “FIQ Debugger functionality is enabled even if the UART cable is inserted when the platform is up,” and explains that the supported commands allow for the exfiltration of a lot information by interacting with FIQ Debugger.
A hacker, Hay reveals, could dump the process list and can use the console command to view the kernel log and receive an unprivileged shell (on userdebug, eng builds only), or can dump the registers and call stack too.