Skip to main content

Android’s April security patch fixes a major vulnerability to hijacks over WiFi

There's always some new security flaw that needs patching. It's been revealed that some Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing. Google has fixed this in the April security update but it can take a while before devices receive it and some devices won't get the update at all.


The Broadcom chip is used in both iOS and Android devices. Apple already patched the vulnerability, but Google is still in the process of releasing the fix. The lack of security protections in the Broadcom chip made it a prime target. It's a pretty severe vulnerability, so make sure you update your device as soon as possible.

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Basic mitigations missing

Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.

"We've seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," he wrote. "Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"

The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap." He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.

Given the severity of the vulnerability, people with affected devices should install a patch as soon as it's available. For those with vulnerable iPhones, that's easy enough. As is all too often the case for Android users, there's no easy way to get a fix immediately, if at all. That's because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.

At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.



via Blogger http://ift.tt/2p8R943

Comments

Popular posts from this blog

A lot of Galaxy S8 users are reporting problems with missing texts

The Galaxy S8 is one of the  best smartphones to debut in 2017 , but it seems like there is an increasingly large number of reports of people experiencing problems with receiving text messages on the phone. The reports all seem to have the Galaxy S8 in common, as most people report the problem no matter which carrier they're using. Threads for Galaxy S8 users on   Verizon ,   AT&T , T-Mobile, and   Sprint   reveal the same problem with delayed texts or texts not arriving at all. It also doesn't seem to be exclusive to a specific messaging app, as several reports show it's happening in the default Samsung SMS app, Textra, and even Android Messages. Someone suggested trying to turn off Advanced Messaging in the default messaging app to see if that stops text messages from being delayed but right now this solution is pretty anecdotal. Have you been noticing missing text messages on your Galaxy S8? Let us know in the comments. source: here via Blogger http://i...

Why would you want to build your own VR backpack? To save money and move freely!

One of the first issues we came across with the  HTC Vive  was the cable that follows you around the room, potentially tripping you up or pulling on the headset when you've taken time to get a perfect fit. While mainstream wireless VR systems are seemingly somewhere around the corner, some PC manufacturers have taken it upon themselves to create the next best thing: VR backpacks. The cable running from your PC to your headset is no longer a problem, and immersion is taken one step further. Unfortunately, these backpacks are usually prohibitively expensive, and, besides, you might already have the hardware needed to create your own. Is it possible? Is it worth the time? Let's find out! Pre-built backpack options Before we get into building our own backpack, let's take a look at some pre-built offerings from HP, ZOTAC, and MSI. HP OMEN X For  about $3,000 , you can grab this sleek, compact PC with an Intel Core i7-7820HK quad-core processor (CPU), an NVIDIA GTX 10...

UBER IOS APP CAN VIRTUALLY ‘SEE’ YOUR PHONE SCREEN, AND APPLE APPROVED IT

WHY IT MATTERS TO YOU Permissions inside the Uber app sound like a privacy nightmare, but have never been abused, and will soon be removed. To better prepare its Apple Watch app, Uber used technology enabling it to view and record what was happening on an iPhone's screen, even when the Uber app was only running in the background. The permission to do this was granted by Apple, and although Uber claims not to use the system anymore, it remains part of the app. The news comes from Sudo Security Group, which unearthed the capability — called an Entitlement — in the Uber app. While this sounds like a security and privacy nightmare, the entitlement doesn't work like a screen-recording app, according to an app researcher speaking to  Gizmodo , and will be removed from the app soon. What it does is visualize colors and pixels on the screen, not precise details. However, the concern is this data could be decoded and interpreted to reveal sensitive personal inf...