Skip to main content

Android’s April security patch fixes a major vulnerability to hijacks over WiFi

There's always some new security flaw that needs patching. It's been revealed that some Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing. Google has fixed this in the April security update but it can take a while before devices receive it and some devices won't get the update at all.


The Broadcom chip is used in both iOS and Android devices. Apple already patched the vulnerability, but Google is still in the process of releasing the fix. The lack of security protections in the Broadcom chip made it a prime target. It's a pretty severe vulnerability, so make sure you update your device as soon as possible.

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Basic mitigations missing

Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.

"We've seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," he wrote. "Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"

The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap." He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.

Given the severity of the vulnerability, people with affected devices should install a patch as soon as it's available. For those with vulnerable iPhones, that's easy enough. As is all too often the case for Android users, there's no easy way to get a fix immediately, if at all. That's because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.

At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.



via Blogger http://ift.tt/2p8R943

Comments

Post a Comment

Popular posts from this blog

Trends 2023 Smartphone

  It's difficult to predict exactly what new trends will emerge in the smartphone industry in 2023, but some potential developments include: Foldable smartphones: These devices feature flexible screens that can be folded in half, allowing for a larger display in a more compact form factor. 5G capabilities: As the 5G network becomes more widely available, we can expect to see more smartphones with built-in support for the faster speeds and lower latency of this new network. Increased emphasis on AI: Artificial intelligence is becoming an increasingly important feature in smartphones, from virtual assistants like Siri and Alexa to improved camera capabilities and more. Improved battery life: As smartphones become more powerful, battery life is an important consideration. Expect to see more smartphones that can last all day on a single charge. Advanced camera features: Smartphone cameras are already quite good, but we can expect to see even more advanced features in the future, such a...
Post a Comment
Read more

Why would you want to build your own VR backpack? To save money and move freely!

One of the first issues we came across with the  HTC Vive  was the cable that follows you around the room, potentially tripping you up or pulling on the headset when you've taken time to get a perfect fit. While mainstream wireless VR systems are seemingly somewhere around the corner, some PC manufacturers have taken it upon themselves to create the next best thing: VR backpacks. The cable running from your PC to your headset is no longer a problem, and immersion is taken one step further. Unfortunately, these backpacks are usually prohibitively expensive, and, besides, you might already have the hardware needed to create your own. Is it possible? Is it worth the time? Let's find out! Pre-built backpack options Before we get into building our own backpack, let's take a look at some pre-built offerings from HP, ZOTAC, and MSI. HP OMEN X For  about $3,000 , you can grab this sleek, compact PC with an Intel Core i7-7820HK quad-core processor (CPU), an NVIDIA GTX 10...
Post a Comment
Read more

Redmi K20, K20 Pro get a price cut in China

The  Redmi K20  and  K20 Pro  have received a price cut in China. The 6GB/128GB variant of the K20 is now down to CNY1,999 ($290/€260) from CNY2,099 ($305/€275), whereas the Pro version with the same memory configuration is now down from CNY2,599 ($380/€340) to CNY2,299 ($335/€300). The 8GB/128GB model of the K20 Pro has also received a price drop and it now costs CNY2,499 ($365/€325). Redmi K20 Additionally, Redmi has also slashed the prices of the  Redmi 7 ,  Redmi 7A ,  Redmi Note 7 , and the  Redmi Note 7 Pro . You can check out the table below for more details. Phone Original Price New Price Redmi K20 (6GB/128GB) CNY2,099 ($305/€275) CNY1,999 ($290/€260) Redmi K20 Pro (6GB/128GB) CNY2,599 ($380/€340) CNY2,299 ($335/€300) Redmi K20 Pro (8GB/128GB) CNY2,799 ($405/€365) CNY2,499 ($365/€325) Redmi Note 7 (6GB/64GB) CNY1,399 ($205/€180) CNY1,199 ($175/€155) Redmi Note 7 Pro (6GB/128GB) CNY1,599 ($230/€210) CNY1,399 ($205/€180) Redmi 7...
Read more