Android Devices Can Be Fatally Hacked By Malicious Wi-Fi Networks

An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Re:Wonderful

And this is why companies such as Broadcom, Cisco, Qualcomm, Intel, Marvel, (name your favorite chip vendors here) ... who wish to make gazillions on supplying what is increasingly *critical infrastructure*, not just 'fun stuff', need to be compelled via legislation and trade treaties to make their firmware stacks available for audits on a continuing basis by security professionals and subject to binding actions based upon those audits to fix issues as they are found. Fine, they don't have to open-source it all; but they must at least be subject to a independent, impartial council of experts who can have free reign to probe, test and comment on their implementations before deployment. Regulation isn't always a bad thing.

There can be no security which relies on obscurity.

This is why BLOBs are a bad idea

[Bruce+Perens]

Many driver manufacturers insist on providing BLOBs (binary loadable object files) for drivers to load into their devices, or they have the firmware stored in their devices. What we can't see probably has security errors that we can't fix, but as this shows, the bad guys can find them.

Your system already has backdoors like this. In drivers that load BLOBs and devices that run proprietary firmware, and in the Intel Management Engine.

Re:Wonderful

[piojo]

So, only way to avoid this? Turn off Wi-Fi completely unless you know you're patched.

Don't forget to turn off wifi+location services integration. Recent versions of Android push you to scan for wifi networks for location services, even when wifi is disabled. So you'll lose location accuracy, in addition to losing wifi.

Wireless Worm

[mentil]

I recall years ago, reading about a study which found that unpatched Win XP systems would get pwned in an average of ~5 seconds, once connected to the internet. This was due to old, long-since-patched worms like Blaster and Sasser, that still lived on in unpatchable systems. I imagine in the near future there will be a worm where every pwned device activates its wifi (even if the official wifi setting is set to 'off') and attacks every nearby device. EOL phones will be permanently vulnerable (how many iphones use this Broadcom chip yet are ineligible for iOS 10.3.1?), just like those permanently unpatched WinXP systems. It's an even worse situation on Android devices that are supported for a few months on average.

Ironically people will have to enable wifi in order to download the firmware update to patch this bug, if their OS only allows OS updates via wifi.

Re: Actually iOS is safer, more likely to get patc

[RotateLeftByte]

Some of Android is Open Source. Please get your facts right.
There are many bits such as the cough-cough Broadcom drivers that are closed source.

Re:Wonderful

I'm not the OP you're responding to but I would assume the idea was that the chipset manufacturers have to pay for it.

Ah yes, the old argument that manufacturers should pay more from their magical money trees.

The only person that pays for anything is the end consumer, and they've long since proven that they are not willing to pay for any level of security. The only thing that will get them to pay more than the cheapest price is shininess and peer pressure (which is related to the in-vogue definition of shininess).

Re:Wonderful

[Ol+Olsoc]

You're still connected to a cell network.

It's vulnerability, but let's be honest here, as much as Apple fans love to tout that it's safer for viruses, that's certainly not the case.

So If I'm getting you straight, this is an Apple problem, not an Android problem.

Apple patched, it, Most Android devices won't/can't. It takes a special level of denial to try to do what you tried to do.Do go on though.