Android Devices Can Be Fatally Hacked By Malicious Wi-Fi Networks

An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Blog post

[93+Escort+Wagon]

That was one well-written blog post! Informative, detailed, yet easy to read... and bloody long.

I got a kick out of the fact that this incredibly long blog post is titled "Part 1".

Re:Wonderful

You're still connected to a cell network.

It's vulnerability, but let's be honest here, as much as Apple fans love to tout that it's safer for viruses, that's certainly not the case. Really all that you're doing is increasing the difficulty of hacking a device.

Anything like plugging your device into a USB charging port at the airport is more than enough for a hacker, there's more than enough people walking around connecting to open wifi and using shitty passwords or clicking on links in their email from untrusted sources to cover in a large sweep. But if you're specifically targeted? C'mon man. Some stack overflow is pretty much the least of your problems.

You remember that Android devices have a synced Google account? Oh and Apple isn't terribly better. In fact, with all their custom chip security solutions it's probably worse since you can't patch circuits without replacing them. Much easier to get access to your account and use that to access your device than the other way around. But really, who cares? I can knock a network offline for a brief second, spoof it so you'll reconnect to me, and then bam, now I'm connected MitM.

Re:Wonderful

[Anonymous+Brave+Guy]

This sort of argument gets made every time there is a breach in any proprietary system, but where exactly are you going to find these "security professionals" to carry out detailed audits on entire firmware systems every time someone released a new product? Who's going to pay their bill? What good is a fix from a SoC manufacturer if the suppliers of devices incorporating those SoCs or the networks reselling them don't then supply an OTA update in a timely and secure fashion?

The idea that enough eyes make all bugs shallow might be one of the most dangerous fallacies in computing today, but even if it were true, it would still only be the first step to fixing a problem like this.