Nexus 9 Vulnerability Allowed Attack Through Headphone Port, Fixed in March Update
In a BlackHat paper dating back to 2013, Michael Ossmann & Kyle Osborn showed that several smartphones had multiplexed wired functionality. Most of this research paper focused on the USB socket, but it was also revealed that the Nexus 4 has a TTL UART interface hidden in its headphone port as well. This is interesting because it showed a Galaxy Nexus that ran CyanogenMod allowed access to FIQ Debugger as well as an unprivileged shell.
Not too severe there, but when tested on a Galaxy S3 that was running CyanogenMod, they were also able to get access to a root shell. Again, Michael Ossmann & Kyle Osborn tested the Nexus 4’s audio connector and were able to access the TTL UART interface when the voltage on the microphone pin exceeds some threshold. Since then, these types of tests have been done on other smartphones and we’ve been seeing Nexus (and even Pixel) phones have some sort of functionality hidden within the headphone port.
On the Pixel, Nexus 5, Nexus 5X, Nexus 6 and the Nexus 6P, using this special cable would give you access to the device’s BL and platform kernel logs. This was not possible on the Pixel C, but was discovered to work on the Nexus 9 (CVE-2017-0510). Interestingly enough, when doing this on the Nexus 9, the researchers were also able to access the FIQ Debugger as well as HBOOT, though indirectly. There were some restrictions to the FIQ Debugger, such as not having access to a shell on production builds, and the rare possibility of plugging in malicious headphones while in HBOOT.
Still, this is a critical attack vector, and the vulnerability was disclosed to Google, who were able to patch it in the company’s March security update.Source: Aleph Security Advisory