Slashdot Mirror
Android Devices Can Be Fatally Hacked By Malicious Wi-Fi Networks (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.
Now all you have to do is connect to wifi and these pricks can screw you. Thanks, Broadcom!
Just cruising through this digital world at 33 1/3 rpm...
If they can connect to it, they can hack it. Period.
Is it time we ask ourselves if the industry would be in a better place if Windows had won in mobile?
neither of you read this, did you?
"... by Wi-Fi proximity alone, requiring no user interaction."
That was one well-written blog post! Informative, detailed, yet easy to read... and bloody long.
I got a kick out of the fact that this incredibly long blog post is titled "Part 1".
#DeleteChrome
that the carriers (who sell the majority of the affected phones) are totally on top of the latest security fixes and always push them out to their customers right away.
That is all.
The title of this article seems to suggest this is a particularly Android/Google issue. It is an attack on the broadcom firmware.
You know, the broadcom chip family used in pretty much everything? Let me rewrite that headline:
Many devices Using Broadcom Chips Can Be Hacked By Malicious Wi-Fi Networks
(I also cut the sensational "fatally")
Just checked. My South African LG G5 (H850) has an update available this morning. It is currently running Nougat Hemoroid 7.0.
Since am prudent, I will backup everything to my SD card (f u Apple!), factory reset the phone, update to and then restore settings. Best way to avoid bricking or bootloop.
... Broadcom screws us again... no shit.
Thanks, Broadcomm, and other binary-blob firmware peddlers, for royally fucking up and not giving a damn.
Many driver manufacturers insist on providing BLOBs (binary loadable object files) for drivers to load into their devices, or they have the firmware stored in their devices. What we can't see probably has security errors that we can't fix, but as this shows, the bad guys can find them.
Your system already has backdoors like this. In drivers that load BLOBs and devices that run proprietary firmware, and in the Intel Management Engine.
Bruce Perens.
We've got your money now fuck off.
... but let's be honest here, as much as Apple fans love to tout that it's safer for viruses, that's certainly not the case ...
Except 79% of iOS users have a patch available right now, 10.3.1. For extreme vulnerabilities such as this, in the past Apple also has updated "obsolete" versions of iOS. So if they provide a hypothetical 9.3.6 they could get coverage to 90%.
In comparison the current version of Android has 2.8% overage, add the previous version and we have 34.1%, go back two "obsolete" versions and we have 66.6%, three "obsolete" versions back (KitKat 4.4) and we get to 87.4% coverage. In theory, in reality most of those old Android phones won't be offered a patch even if Google produced one.
It seems to me that one is safer with iOS, you are more likely to get a patch.
https://developer.apple.com/support/app-store/
https://developer.android.com/about/dashboards/index.html
We must have it or we're fucked. I've been telling this to Google for years, but they don't seem to be interested. As a result we have literally hundreds of millions of Android devices with dozens of remote vulnerabilities, the devices which aren't supported and cannot be upgraded to anything else. And it's getting worse day by day.
I recall years ago, reading about a study which found that unpatched Win XP systems would get pwned in an average of ~5 seconds, once connected to the internet. This was due to old, long-since-patched worms like Blaster and Sasser, that still lived on in unpatchable systems. I imagine in the near future there will be a worm where every pwned device activates its wifi (even if the official wifi setting is set to 'off') and attacks every nearby device. EOL phones will be permanently vulnerable (how many iphones use this Broadcom chip yet are ineligible for iOS 10.3.1?), just like those permanently unpatched WinXP systems. It's an even worse situation on Android devices that are supported for a few months on average.
Ironically people will have to enable wifi in order to download the firmware update to patch this bug, if their OS only allows OS updates via wifi.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Google does offer a patch. Android is open source.
Users need to vote with their wallets, refusing to buy from manufacturers who customize Android, usually to the customer's detriment, then fail to commit to monthly security updates.
Haha. Good luck with that!
Some of Android is Open Source. Please get your facts right.
There are many bits such as the cough-cough Broadcom drivers that are closed source.
I'd rather be riding my '63 Triumph T120.
Hmm... Small world syndrome? Just now reading Dogfight about the smartphone competition between Apple and the google. Don't tell me how it ends, but I'm already feeling like the author is going to come out against Apple...
However, I think that Apple has the big advantage in fixing security problems precisely because the consumers have so little freedom. I currently have three Android devices and have no idea which of them, if any are vulnerable. It would be worse if my two older phones hadn't died already. On the plus side, I normally leave the WiFi switched off.
Time to look for some funny comments, but I'm not sure I see the potential humor in the topic. Corporate cancerism is no joke, and in this case it means we have no legal defenses. The makers sure ain't liable.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
The attack doesn't require a rogue access point, as it uses a Peer-to-Peer (Ad-Hoc) WiFi protocol. Vulnerable WiFi chipsets can be attacked by any other WiFi device in range.
The attack doesn't require a rogue access point, as it uses a Peer-to-Peer (Ad-Hoc) WiFi protocol. Vulnerable WiFi chipsets can be attacked by any other WiFi device in range.
http://www.glasswings.com/
Oh yeah, well I might get a update someday on my Android tablet. Well, probably not but I can hope can't I. I have owned it for over a year and think I got one system update about 6 months ago. Consider myself lucky I guess to get that.
Yes, it's like that isn't it? Android seems like a OK operating system until you realize the complete lack of support and fragmented update system in place. Then you realize this is the worst designed OS for maintaining a optimum OS that has ever been deployed in devices. People using not so old devices that will never see another update again.
Well, for the European market, they have to patch the phones up to two years after the last *sale*. As the problem is a manufacturing defect, customers can return the devices and demand it to be fixed or replaced. Now legally that's a problem for the company that directly sold the product to consumers, not the manufacturer , but you can bet that Vodafone has some leverage over even Samsung.
And since Samsung therefore needs to provide patches anyway, the US market might get them as well. Of course, this applies only to those phones which are sold in the EU. US-only models probably won't get a patch..
"People using not so old devices that will never see another update again."
Are idiots.. I bought an Android device and get monthly security patches.
I wonder if all these fancy new Raspberry Pi's with closed source Broadcom chips are affected?
... Because apple support is ...? Let's be honest. You don't get support from Apple. You get to buy a new phone. The iOS upgrades aren't for you. They're to protect the walled garden. You are the product. Make no mistake.
The bug affects both Android and iOS however the headline just somehow happens to be "ANDROID DEVICES Can Be Fatally Hacked By Malicious Wi-Fi Networks" instead of, say, "Smartphones with Broadcom wifi chips can be fatally hacked by malicious wi-fi"
One of the biggest reasons Android conquered mobile was the cheap price. If you wanted to get a $150 smart phone off-contract, you can't get an iPhone, period. Most of us in the tech industry or in comparatively wealthy neighborhoods are walking around with a $600 smart phone. But Android consumed the market because a McDonald's employee could walk into a Best Buy and get a $100 LG Android phone.
So most people can't vote with their wallets. I don't know if this is reliable, but look at the one put together by Android Central for devices receiving security updates last month: http://www.androidcentral.com/... It's horrifying. There are devices on that list that are cheap now, like the Nexus 5. But I don't think anything on that list was below $400 when it launched.
No⦠anyone who looks at their numbers knows that Apple customers and data aren't the product. The phone is. They make all their money off hardware sales.
Google sells its customer data and Apple doesn't. Saying that their business model is the same when it plainly isn't is crazy talk.
Apple is open to criticism on many things, but not via "you are the product."
Google does offer a patch. Android is open source.
Users need to vote with their wallets, refusing to buy from manufacturers who customize Android, usually to the customer's detriment, then fail to commit to monthly security updates.
Because the Android fan base is more worried about cheap than security. Most don't believe that the phone has any security issues anyhow, so are happy to tout their KungPao 7 Android phone as something superior to the phones those asshole Apple hipsters use.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
CM died and begat Lineage OS. And now I'm getting ~weekly updates for my Moto G 2nd, which has of course been left behind by Motorola.
OSS FTW
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Shh, hush little trumpster, don't say a word. Trumpys going to buy you nothing but regret.
Things like SElinux, SafetyNet, and (factory-only) locked bootloaders are pointless complexity.
These devices are complicated and security is a process - constant vigilence. It's not a firewall, or a set of complicated access controls. It's education, updates, and constant testing.
Simple rules are easy to understand, and 40 years of experience has shown that it's the best way to make secure code.
A government is a body of people notably ungoverned - AC
Every iPhone since the iPhone 5 has this update available. Sorry but the "buy a new smartphone to update your OS" is an Android thing. And be careful, lots of "new" Android smartphones have old Android versions and no updates.
Good luck getting a significant portion of people to EVER do that with any product.
"iOS also has the fuck-you features, like the fact that you can't send a group text to more than ten people unless all are iOS users. Why? Because lock-in. "
I think that this was implemented originally because of spam and those stupid hoax emails. They didn't want it to spread to texting like it did with email. Apple can lock it down if it's coming thru their network. Where as SMS isn't. iMessage is.
It seems to me that one is safer with iOS, you are more likely to get a patch.
Alternative explanation, people who buy Apple simply do not hold on to their phones for as long as people who buy Android. I'd be curious to know the spread of hardware iterations (iPhone 7, 6, 5, etc) that encompass your numbers. Does that 79% consist of nothing but the latest version?
The patch, 10.3.1, is available for all iPhone 5, 6 and 7. All 10.x users, 79%, can get the patch.
Does that 90% also consist of nothing but the latest version (because some people didn't want to update)?
To be clear, that 95% (90% was a typo) includes all 9.x and 10.x users and there is no patch for 9.x yet. Note I referred to a hypothetical 9.3.6 patch, as I referred to hypothetical Android 6, 5 and 4.4 patches. The point was showing how far back, three "obsolete" version for Google versus one for Apple that there needed to be to get "comparable" coverage for users. Now consider the patching situation for the Android 6, 5 and 4.4 users between Google not providing a patch and/or hardware vendors not publishing a patch.
Apple has provided patches for "obsolete" versions in the past for extreme vulnerabilities. Then again, I don't know if iPhone 4 has a vulnerable broadcom chip, maybe 4's are not vulnerable?
I don't know. But if you want to convince the people who are already dead-set on Android that you are correct, that is something that you need to provide.
I purchased Google Nexus devices to mitigate the patch nightmare that is Android. Right now my 2013 Nexus 5 is not offering a patch. A 2012 iPhone 5 has a patch.
Broadcom drivers...
It's almost like drivers and OSes are two different things.
Google does offer a patch.
Right now my 2013 Google Nexus 5 is not offering a patch. A 2012 iPhone 5 has a patch.
Wei 2 go Beau..
so the title should have been
all devices with this chipset are in trouble..
Apple employs those chips in some of their products, thus your title is LAME, OFF BASE, AND UNINFORMED..
Perhaps it's time to put the Pipe down, and broaden your horizons..
Looking at the world as we know it through such a small lens can be dangerous, esp when driving. You do drive, Right??
The upside is that most cheap phones are only in service for a year or two at best. Unpatched flaws get thrown away with the phone.
This kind of thing is uninteresting at this point. Flaws are found, patches are issued and the sun rises every morning. I'd like to see good statistics (which are likely impossible to collect) about the amount of real world harm caused by most of them.
Far more damaging is people's own idiotic behavior. We have know about HIV floating around for decades yet people still have unprotected sex with relative strangers all the time. You reap what you sow.
I have mod points. The reign of terror begins now.
Those Broadcom chips are everywhere. Wi-Fi routers running Broadcom chips are possibly vulnerable too. When was the last time you did a firmware update to the Wi-Fi chipset in your home router? Yeah, me neither.
Which makes me wonder if Qualcomm chips are just as bad.
Wrong, ALL of Android is open source.
Drivers and apps are not a part of the OS, dumbass.
It's worse than that.
I actively avoid updates because my carrier uses them to install new, uninstallable crap that I don't want.
And yes, I understand exactly what I'm doing when I don't accept them. I don't bank on my phone, so the worst an attacker could do is get into my social media accounts.
My carrier is a bigger threat to me than this attack.
Are you going to release this security patch? My 2nd gen Moto X is still on the August patch level.
My suspicion is that it will do more harm as time goes on, even as Google tries to tighten the security. People order things from Amazon, shop on Ebay, and even do banking from their phone. Hacks are going to become more and more profitable.
It's worse than that.
I actively avoid updates because my carrier uses them to install new, uninstallable crap that I don't want.
And yes, I understand exactly what I'm doing when I don't accept them. I don't bank on my phone, so the worst an attacker could do is get into my social media accounts.
My carrier is a bigger threat to me than this attack.
Good points, and good move re the banking info.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
What manufacturer would you recommend? I've currently got a $25 no-name Android phone and it does what I need 95% of the time - the only things I feel I can't do on it are highly sensitive things like accessing my e-mail or bank account. I can usually wait to do that until I get back to the house/office, but occasionally it would be convenient to access them from my phone. Probably about once a month. I don't feel comfortable doing it unless I know my phone has been patched.
I'm not willing to pay the Apple tax or anything close to it for this marginal increase in functionality. It needs to be under $100 for sure; my target is more like $60. That's several times the cost of my current phone. I think that should be enough to pay for security updates - unless the market is totally fucked.
Other requirements (and non-requirements):
*Screen: Doesn't need to be huge - 4" is fine. No less.
*Battery life: 24 hours in moderate usage, at least 48 hours idling (connected to network, but not being used). So the spec sheet will probably say "5 days"
*Build quality - Doesn't need to be iPhone-level. At my price point the phone will be replaceable.
*Headphone jack, however, is a must. DAP is one of the primary uses for my phone.
*At least 8 GB of internal storage, OR an SD slot.
It's almost like you need both of them for a usable phone.
Which is entirely irrelevant since the thread is specific to the OS and targeting Google.
Choose your targets. The scattergun approach makes no sense.
What other devices are going to be vulnerable to this - there's a hell of a lot of things using Broadcom wifi chipsets.. pretty much everything from Ambarella (so that's GoPros and most of the GoPro alternatives), plus Wifi routers, IoT devices, baby monitors....
There are many bits such as the cough-cough Broadcom drivers that are closed source.
If a driver for shipped hardware is made available to anyone, it should have to be made available to everyone. That doesn't force manufacturers to support hardware past its useful date, or necessarily even to that point, but it would encourage more driver releases that would permit more third parties to roll more custom roms which would subsequently solve more of these problems.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"