Skip to main content

Android’s April security patch fixes a major vulnerability to hijacks over WiFi

There's always some new security flaw that needs patching. It's been revealed that some Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing. Google has fixed this in the April security update but it can take a while before devices receive it and some devices won't get the update at all.


The Broadcom chip is used in both iOS and Android devices. Apple already patched the vulnerability, but Google is still in the process of releasing the fix. The lack of security protections in the Broadcom chip made it a prime target. It's a pretty severe vulnerability, so make sure you update your device as soon as possible.

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Basic mitigations missing

Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.

"We've seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," he wrote. "Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"

The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap." He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.

Given the severity of the vulnerability, people with affected devices should install a patch as soon as it's available. For those with vulnerable iPhones, that's easy enough. As is all too often the case for Android users, there's no easy way to get a fix immediately, if at all. That's because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.

At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.



via Blogger http://ift.tt/2p8R943

Comments

Popular posts from this blog

Trends 2023 Smartphone

  It's difficult to predict exactly what new trends will emerge in the smartphone industry in 2023, but some potential developments include: Foldable smartphones: These devices feature flexible screens that can be folded in half, allowing for a larger display in a more compact form factor. 5G capabilities: As the 5G network becomes more widely available, we can expect to see more smartphones with built-in support for the faster speeds and lower latency of this new network. Increased emphasis on AI: Artificial intelligence is becoming an increasingly important feature in smartphones, from virtual assistants like Siri and Alexa to improved camera capabilities and more. Improved battery life: As smartphones become more powerful, battery life is an important consideration. Expect to see more smartphones that can last all day on a single charge. Advanced camera features: Smartphone cameras are already quite good, but we can expect to see even more advanced features in the future, such a...

Redmi K20, K20 Pro get a price cut in China

The  Redmi K20  and  K20 Pro  have received a price cut in China. The 6GB/128GB variant of the K20 is now down to CNY1,999 ($290/€260) from CNY2,099 ($305/€275), whereas the Pro version with the same memory configuration is now down from CNY2,599 ($380/€340) to CNY2,299 ($335/€300). The 8GB/128GB model of the K20 Pro has also received a price drop and it now costs CNY2,499 ($365/€325). Redmi K20 Additionally, Redmi has also slashed the prices of the  Redmi 7 ,  Redmi 7A ,  Redmi Note 7 , and the  Redmi Note 7 Pro . You can check out the table below for more details. Phone Original Price New Price Redmi K20 (6GB/128GB) CNY2,099 ($305/€275) CNY1,999 ($290/€260) Redmi K20 Pro (6GB/128GB) CNY2,599 ($380/€340) CNY2,299 ($335/€300) Redmi K20 Pro (8GB/128GB) CNY2,799 ($405/€365) CNY2,499 ($365/€325) Redmi Note 7 (6GB/64GB) CNY1,399 ($205/€180) CNY1,199 ($175/€155) Redmi Note 7 Pro (6GB/128GB) CNY1,599 ($230/€210) CNY1,399 ($205/€180) Redmi 7...

Xiaomi Mi A1 XDA Review: Android One and Xiaomi Hardware Result in a Delightful & Affordable Stock Experience

The Xiaomi Mi A1 is one of Xiaomi's biggest releases of the year 2017. Despite its overall humbling package, the phone marks a few important milestones for the Chinese company as well as for the Android ecosystem. The Mi A1 is important because it is the  first Xiaomi smartphone to ship without Xiaomi's own custom UX , MIUI on top of the Android OS. It is also the first device that is  the result of a reboot of Google's Android One program  —  an initiative that saw little success in its first phase in India . The Mi A1 is also the first Xiaomi device in recent times that does not see an equivalent launch in China, becoming the first Xiaomi device to be India-exclusive at launch. But does the Mi A1 with its Android One branding provide the value experience we are used to from Xiaomi? In this review, we'll take an in-depth dive into the Xiaomi Mi A1. Rather than listing specs and talking about how the experience felt, this feature attempts to prov...