Slashdot Mirror
Android Devices Can Be Fatally Hacked By Malicious Wi-Fi Networks (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated. The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction." Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post. The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.
Is it time we ask ourselves if the industry would be in a better place if Windows had won in mobile?
That was one well-written blog post! Informative, detailed, yet easy to read... and bloody long.
I got a kick out of the fact that this incredibly long blog post is titled "Part 1".
#DeleteChrome
that the carriers (who sell the majority of the affected phones) are totally on top of the latest security fixes and always push them out to their customers right away.
And this is why companies such as Broadcom, Cisco, Qualcomm, Intel, Marvel, (name your favorite chip vendors here) ... who wish to make gazillions on supplying what is increasingly *critical infrastructure*, not just 'fun stuff', need to be compelled via legislation and trade treaties to make their firmware stacks available for audits on a continuing basis by security professionals and subject to binding actions based upon those audits to fix issues as they are found. Fine, they don't have to open-source it all; but they must at least be subject to a independent, impartial council of experts who can have free reign to probe, test and comment on their implementations before deployment. Regulation isn't always a bad thing.
There can be no security which relies on obscurity.
Many driver manufacturers insist on providing BLOBs (binary loadable object files) for drivers to load into their devices, or they have the firmware stored in their devices. What we can't see probably has security errors that we can't fix, but as this shows, the bad guys can find them.
Your system already has backdoors like this. In drivers that load BLOBs and devices that run proprietary firmware, and in the Intel Management Engine.
Bruce Perens.
This sort of argument gets made every time there is a breach in any proprietary system, but where exactly are you going to find these "security professionals" to carry out detailed audits on entire firmware systems every time someone released a new product? Who's going to pay their bill? What good is a fix from a SoC manufacturer if the suppliers of devices incorporating those SoCs or the networks reselling them don't then supply an OTA update in a timely and secure fashion?
The idea that enough eyes make all bugs shallow might be one of the most dangerous fallacies in computing today, but even if it were true, it would still only be the first step to fixing a problem like this.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
We've got your money now fuck off.
So, only way to avoid this? Turn off Wi-Fi completely unless you know you're patched.
Don't forget to turn off wifi+location services integration. Recent versions of Android push you to scan for wifi networks for location services, even when wifi is disabled. So you'll lose location accuracy, in addition to losing wifi.
A cat can't teach a dog to bark.
... but let's be honest here, as much as Apple fans love to tout that it's safer for viruses, that's certainly not the case ...
Except 79% of iOS users have a patch available right now, 10.3.1. For extreme vulnerabilities such as this, in the past Apple also has updated "obsolete" versions of iOS. So if they provide a hypothetical 9.3.6 they could get coverage to 90%.
In comparison the current version of Android has 2.8% overage, add the previous version and we have 34.1%, go back two "obsolete" versions and we have 66.6%, three "obsolete" versions back (KitKat 4.4) and we get to 87.4% coverage. In theory, in reality most of those old Android phones won't be offered a patch even if Google produced one.
It seems to me that one is safer with iOS, you are more likely to get a patch.
https://developer.apple.com/support/app-store/
https://developer.android.com/about/dashboards/index.html
I recall years ago, reading about a study which found that unpatched Win XP systems would get pwned in an average of ~5 seconds, once connected to the internet. This was due to old, long-since-patched worms like Blaster and Sasser, that still lived on in unpatchable systems. I imagine in the near future there will be a worm where every pwned device activates its wifi (even if the official wifi setting is set to 'off') and attacks every nearby device. EOL phones will be permanently vulnerable (how many iphones use this Broadcom chip yet are ineligible for iOS 10.3.1?), just like those permanently unpatched WinXP systems. It's an even worse situation on Android devices that are supported for a few months on average.
Ironically people will have to enable wifi in order to download the firmware update to patch this bug, if their OS only allows OS updates via wifi.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Google does offer a patch. Android is open source.
Users need to vote with their wallets, refusing to buy from manufacturers who customize Android, usually to the customer's detriment, then fail to commit to monthly security updates.
Some of Android is Open Source. Please get your facts right.
There are many bits such as the cough-cough Broadcom drivers that are closed source.
I'd rather be riding my '63 Triumph T120.
The attack doesn't require a rogue access point, as it uses a Peer-to-Peer (Ad-Hoc) WiFi protocol. Vulnerable WiFi chipsets can be attacked by any other WiFi device in range.
http://www.glasswings.com/
I think I'd prefer a full-time professional who has their livelihood at stake in doing a good job, and the time and resources to do it.
BTW, nice air quotes. They have a nice bias shine to them.
They're quotes. As in; quoting the exact words of the post you are replying to.
I'm not the OP you're responding to but I would assume the idea was that the chipset manufacturers have to pay for it.
Ah yes, the old argument that manufacturers should pay more from their magical money trees.
The only person that pays for anything is the end consumer, and they've long since proven that they are not willing to pay for any level of security. The only thing that will get them to pay more than the cheapest price is shininess and peer pressure (which is related to the in-vogue definition of shininess).
Not exactly. From the blog post, you can see that the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
It's not actually as bad as all that luckily. From the blog post, the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
You're still connected to a cell network.
It's vulnerability, but let's be honest here, as much as Apple fans love to tout that it's safer for viruses, that's certainly not the case.
So If I'm getting you straight, this is an Apple problem, not an Android problem.
Apple patched, it, Most Android devices won't/can't. It takes a special level of denial to try to do what you tried to do.Do go on though.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
CM died and begat Lineage OS. And now I'm getting ~weekly updates for my Moto G 2nd, which has of course been left behind by Motorola.
OSS FTW
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"