Talk about security hell. While the Stagefright debacle was scary, the latest issue Google has on their hands is user-facing and exploitable without any crazy tricks to be had. The issue is that Nexus devices seem to be vulnerable to an exploit that allows you to bypass factory reset protection.
If you don’t know, factory reset protection is supposed to allow you to keep your phone password protected in the event that someone performs a factory reset. It should make the phone virtually unusable without the password, but someone has found a way to work around that with a simple series of button presses. You can find the original exploit being demonstrated in the video above.
Google released a security patch that was said to address the security hole, but RootJunky — the original soul who demonstrated the bug — has followed up with another video showing that the device is still vulnerable even following the January security patch:
As you can see, it’s a much harder process but still doable. We’re not sure how or why this oversight is being made, but it doesn’t give us much confidence that these security patches are as thoroughly developed and tested as they ought to be. It’s quite alarming when someone outside of Google is able to produce an easy exploit within hours of the patch going out.
We imagine this will call for another round of patches, but don’t be surprised if Google opts to take a bit more time to make sure they get it right this go-round. In the meantime, just be careful not to lose your phone so this issue doesn’t become relevant to you in the first place.