Google plugs serious Nexus vulnerability in latest security update

January security bundle brings a fix for a 'high-severity vulnerability' that was uncovered in the Nexus 6 and 6P.

nexus 6p rear
Adam Patrick Murray

Google’s monthly Android security patches are always imperative for whichever phones are able to get them, but the January bundle is of particular importance to Nexus 6 and 6P owners. As spotted by Ars Tehcnica UK, Googe has plugged a “high-severity” exploit in its latest patch that could allow attackers to listen in on calls and steal data.

Only brought to light last week by IBM’s X-Force Exchange, the vulnerability in the two phone models opens access to hidden USB interfaces. According to the report, “By rebooting the device with custom bootmodes, an attacker could exploit this vulnerability to override a secure USB configuration and gain elevated privileges on the system, cause a local permanent denial of service and exfiltrate sensitive information.” The researchers warned that the exploit could result in “data theft, data destruction, (and) data corruption.”

As Ars Technica UK explains, older Nexus 6 phones were more vulnerable than the 6P, “but (the newer phone’s firmware) could still be used to break into the modem’s AT interface. That interface would let attacks send or eavesdrop on SMS messages and potentially bypass two-factor authentication.” The patch is among numerous high- and critical-severity vulnerabilities that the January update plugs.

The impact on you at home: If you own a Nexus 6 and 6P that has been updated to Nougat, it should automatically install the security patch as soon as it’s available. But whenever major flaws like this pop up, it’s a good idea to exercise some due diligence on whatever phone you’re running, and check to see if it’s up to date. And if your phone is still running Marshmallow, check the settings to see if you can enable automatic security updates.

Shop Tech Products at Amazon