GNex Flaw - No Permission Android App Can Reboot Devices

December 26, 2012
by Kevin Swartz

viaForensics mobile security engineer David Weinstein (@insitusec) has discovered a flaw in the Galaxy Nexus which enables an app with no privileges to reboot the device. While this issue currently enables a local denial of service attack, further analysis is required to determine the full impact.

Initial research uncovered the flaw on the Galaxy Nexus CDMA device, and coordination with security researchers @thuxnder and viaForensics analyst Marco Grassi (@marcograss) confirmed similar flaws exist with other world-readable files on the Nexus 7 and the Galaxy Nexus GSM device.

More generally the flaw is present on devices with debugfs enabled and which have certain debug world-readable files. Weinstein summarized the issue as follows:

“Right now, we can easily create a DoS attack since debugfs is enabled with key files world readable.However, the complexity required in kernel space to support the debugfs backend is significant and creates a large attack surface which may lead to more serious vulnerabilities."

We have posted a POC Android apk (link below) to test flaws on a wider array of devices.

viaForensics (@viaforensics) has reported the flaw to Google and is coordinating with other researchers. Further updates on this and related flaws will be posted here.

Technical Details

Android POC App: AndroidReboot.apk

SHA256 = bc9acaddf83ebb02b55679f7aaf23fbf0cbb988ea904ac17d7a1064758d4591d


Galaxy Nexus CDMA

$ adb shell cat /sys/kernel/debug/usb/ehci/ehci-omap.0/registers

Meme reaction from @timstrazz and @pof

Back to the Blog