Skip to main content

Android’s April security patch fixes a major vulnerability to hijacks over WiFi

There's always some new security flaw that needs patching. It's been revealed that some Broadcom chips allow rogue Wi-Fi signals to execute code of attacker's choosing. Google has fixed this in the April security update but it can take a while before devices receive it and some devices won't get the update at all.


The Broadcom chip is used in both iOS and Android devices. Apple already patched the vulnerability, but Google is still in the process of releasing the fix. The lack of security protections in the Broadcom chip made it a prime target. It's a pretty severe vulnerability, so make sure you update your device as soon as possible.

A broad array of Android phones are vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Basic mitigations missing

Besides the specific stack overflow bugs exploited by the proof-of-concept attack, Beniamini said a lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.

"We've seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," he wrote. "Specifically, it lacks all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"

The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap." He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms.

Given the severity of the vulnerability, people with affected devices should install a patch as soon as it's available. For those with vulnerable iPhones, that's easy enough. As is all too often the case for Android users, there's no easy way to get a fix immediately, if at all. That's because Google continues to stagger the release of its monthly patch bundle for the minority of devices that are eligible to receive it.

At the moment, it's not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility, but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones, devices often relay Wi-Fi frames even when Wi-Fi is turned off. This post will be updated if word of a better workaround emerges.



via Blogger http://ift.tt/2p8R943

Comments

Post a Comment

Popular posts from this blog

Xiaomi Mi A1 XDA Review: Android One and Xiaomi Hardware Result in a Delightful & Affordable Stock Experience

The Xiaomi Mi A1 is one of Xiaomi's biggest releases of the year 2017. Despite its overall humbling package, the phone marks a few important milestones for the Chinese company as well as for the Android ecosystem. The Mi A1 is important because it is the  first Xiaomi smartphone to ship without Xiaomi's own custom UX , MIUI on top of the Android OS. It is also the first device that is  the result of a reboot of Google's Android One program  —  an initiative that saw little success in its first phase in India . The Mi A1 is also the first Xiaomi device in recent times that does not see an equivalent launch in China, becoming the first Xiaomi device to be India-exclusive at launch. But does the Mi A1 with its Android One branding provide the value experience we are used to from Xiaomi? In this review, we'll take an in-depth dive into the Xiaomi Mi A1. Rather than listing specs and talking about how the experience felt, this feature attempts to prov
Post a Comment
Read more

UBER IOS APP CAN VIRTUALLY ‘SEE’ YOUR PHONE SCREEN, AND APPLE APPROVED IT

WHY IT MATTERS TO YOU Permissions inside the Uber app sound like a privacy nightmare, but have never been abused, and will soon be removed. To better prepare its Apple Watch app, Uber used technology enabling it to view and record what was happening on an iPhone's screen, even when the Uber app was only running in the background. The permission to do this was granted by Apple, and although Uber claims not to use the system anymore, it remains part of the app. The news comes from Sudo Security Group, which unearthed the capability — called an Entitlement — in the Uber app. While this sounds like a security and privacy nightmare, the entitlement doesn't work like a screen-recording app, according to an app researcher speaking to  Gizmodo , and will be removed from the app soon. What it does is visualize colors and pixels on the screen, not precise details. However, the concern is this data could be decoded and interpreted to reveal sensitive personal inf
Post a Comment
Read more

AOL Instant Messenger is shutting down on December 15th

It's the end of an era. AOL Instant Messenger (AIM) is officially shutting down on December 15th,  Oath announced this morning. AIM started out as the built-in chat application in America Online's desktop client, but it really took off after it was broken out as a separate application in 1997. The app, and its iconic messaging sound, were staples for anyone who spent too much time on the web in the '90s and early '00s. Really though, the writing was on the wall for AIM since  AOL laid off most of the division  in 2012. AIM also started  cutting off third-party access earlier this year, which was a big sign the service was on its way out. Oath -- the new Verizon company that includes AOL, Yahoo, and yes, Engadget -- isn't saying what, exactly, will be replacing AIM. For now, though, Yahoo Messenger seems like the best possibility. "AIM tapped into new digital technologies and ignited a cultural shift, but the way in which we communicate with each o
Post a Comment
Read more