Many Android Phones Vulnerable to Attacks Over Malicious Wi-Fi Networks

There's a blog post from Google's Project Zero detailing an attack against Android phones over Wi-Fi. From Ars Technica:

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.

Slashdot thread.

Posted on April 6, 2017 at 7:52 AM • 38 Comments

Comments

Who?April 6, 2017 8:03 AM

In other words, Google is releasing this information but patches will be available only for the most recent products (I think they call them "Pixel" these days) ⇒ people that does not think themselves will buy new "secure" Android phones increasing Google profit as a consequence of not fixing this serious vulnerability on older devices.

It is not funny.

MatteoApril 6, 2017 8:07 AM

The more i read about bugs the more i find "irregular values" programmers should stop think "if this value is invalid noone will use it" and start removing undefined behavior as much as possible;

from:
noone will use it
to:
if someone use it throw exception

MichaelApril 6, 2017 8:45 AM

iOS is patched.

A good portion of Android devices out in the field probably never will be.

I favor mandatory security labelling.

It's a different world. The Apple //e was a consumer-focused computer. The Tandy Coco as well. The average consumer then is still far different than the consumer today. The consumer base is now very largely uninitiated.

Your cereal tells you how much sodium you're going to take in. Mandatory labelling allows consumers to easily tell if the food they're about to buy is good for them. I think doing the same for "network connected devices" should be considered. It should explain when the software preinstalled was built, what commitment exists for new software releases, what commitment exists for security patches. It may include a QR code to more up-to-date information. A "security facts" label, I think, is what's needed.

Bruce SchneierApril 6, 2017 8:48 AM

"In other words, Google is releasing this information but patches will be available only for the most recent products (I think they call them 'Pixel' these days) ⇒ people that does not think themselves will buy new 'secure' Android phones increasing Google profit as a consequence of not fixing this serious vulnerability on older devices."

Thank you for making this connection. I was wondering why Google would release this vulnerability, and had forgotten that they're making their own phones now.

only tyrants censorApril 6, 2017 8:59 AM

@Bruce Schneier,

Gee, you are one of those who still believes that Google is motivated solely by altruistic motives?

For those who don't follow the financial press, here are the numbers for Google's most recent fiscal year that ended in December 31st 2016,

https://finance.yahoo.com/quote/GOOGL/financials?p=GOOGL

Revenue: 90 billion dollars.
Profit after taxes: 19.5 billion dollars.

That's right, Google is a cash making machine. How is Google making most of its money? You got it, but attempting to spy on as much of us as possible.

When I was little, Hans Christian Andersen's tales were among my favorite. I have a special place in my heart for one called "The Emperor's New Clothes".

Only those who are not tainted by Google money can accurately be called objective experts in security.

only tyrants censor April 6, 2017 9:56 AM

@Michael

"The average consumer then is still far different than the consumer today. The consumer base is now very largely uninitiated."

That's a very interesting observation. I imagine most regular readers here are geeks who felt isolated by the "cool guys" while growing up. I always use my non geek friends, and family members, as a bellwether of whether something is a true technological breakthrough or it is something presented as good technology but in fact it is BS packaged for the cool guys.

I was the first member of my household to have a personal computer. Similarly, I was the first member of my household to get an internet connection and email. Now I am the only member of my household who doesn't have social media accounts or uses a smart phone, precisely because my privacy interests trump a desire for being "cool".

We are in a situation now in which important decisions about technology are being made by morons because morons are the most important market for technology. This is not very different from what happens in other areas of life, but it is a sad for those of us geeks.

Dirk PraetApril 6, 2017 10:29 AM

@ Michael

iOS is patched.

Yes and no. All recent iOS devices can do over-the-air updates to 10.3.1 . A number of less recent devices like iPhone 5/5C don't see either 10.3 or 10.3.1 , but can still be updated through iTunes. Older devices like first generation iPods (1-5), iPhones under 5, iPads under 4 and mini iPads 1 remain stuck on iOS 9.3.5 and don't get the fix.

As to Android: it's a lost cause. Unless you have a recent model from Google itself, put your device up on eBay. If you've got one issued by AT&T, Verizon, Comcast or other known spyware carriers who generally can't be bothered less with security updates, consider wiping the device entirely and replacing the firmware by LineageOS (successor of CyanogenMod) as soon as it becomes stable and your device supports it.

More paranoid types with recent 64-bit Nexus 9, 5X and 6P devices can also go for CopperheadOS, a hardened Android with PaX and OpenBSD malloc. Those hooked on Android and plenty of money to spend can also go for Silent Circle's Blackphone 2 with its security hardened Silent OS.

Disclaimer: all usual restrictions apply in the sense that there is no such thing as a secure smartphone. From a security vantage, some just s*ck more than others.

@ only tyrants censor

Weren't you told to go take your fury elsewhere? Way too many old and new sockpuppets here ...

only tyrants censorApril 6, 2017 10:43 AM

@Dirk Praet,

I find your lack of humor "infuriating" :-). Look, Bruce cannot have it both ways:

- If he wants a website that promotes a particular ideology, he should make signing up with people's real names a per-condition for commenting.

- If he wants to be an advocate for digital privacy and digital freedom he must let people comment anonymously. So he will have to put up with people he doesn't like.

My opinion is that Bruce isn't really an advocate for digital privacy. His only concern is that people he doesn't like accesses his data. That's why he is more lenient with dragnet collection when Obama does it, but absolutely infuriated when Trump does the dame. Similarly, he goes around being nice to Google because he likes Google -probably Google's donations to EFF have something to do with it- but he is unhappy when ISPs do the same thing as Google does.

I am a true advocate of digital privacy. I don't care if you are Google, Comcast, Obama's NSA or Trump's NSA. Preying on people's digital lives is wrong. Period, no "but". My reference when it comes to defending digital privacy is Moxie Marlinspike, even though I do not agree with his anarchist politics.

Steve BApril 6, 2017 10:47 AM

Whilst I can see @Michael's point about Google's behaviour probably being far from altruistic in these cases, it is important not to forget that there are other parties in the Android ecosystem who equally have a moral (if not legal) obligation to ensure that patches for security issues get rolled into as many of their current AND PAST products as possible (is 5 years a good age cut-off?).

If we contend that both Apple and Google have moral (if not legal) obligations to address security issues in their products, then this obligation MUST apply to all the parties in the chain.

The manufacturers who use Android have an obligation to update the OS to at least to the same level as Google and should, I contend, be obliged to do so for all phone models they have manufactured within the last 5 years.

Likewise, the mobile operators who insist on customising Android phones to include their own branding and apps have exactly the same moral obligation to ensure that fixes are passed on to the devices that they have sold to consumers.

Every time this patching argument arises, it seems to turn into a Google vs Apple discussion, but the bigger story is that the manufacturers and mobile operators are hiding behind these arguments, and will continue to do so until such time as a case is brought against them for negligence. Without a big stick behind them, all the parties will continue to be happy for vulnerabilities to become a driver for regular sales of newer 'updated' models. Of course, asking governments to step in might not help here (does it ever?), because they too make money out of this in the form the taxes raised as a result of the regular "upgrade cycle" sales.

AnonApril 6, 2017 11:03 AM

If an OS vendor chooses NOT to make their new OS work on older hardware, they should still be required to provide security fixes. This will have one of two effects:

1) Either they will stop with the rubbish that newer OS can only run on newer hardware and make the latest OS work on older hardware (I have a hard time believing the new OS is so radically different)

or

2) They must be made to state a support period after which new updates will not be available, at the time of sale, so consumers know after e.g. 18 months their device will not be updated. This will hopefully force the vendors to then support older hardware for longer.

As it is, this cycle of only being able to get the latest version with new hardware is just a ploy to push new hardware and make $$$. It needs to stop.

only tyrants censorApril 6, 2017 11:04 AM

@Steve B

"If we contend that both Apple and Google have moral (if not legal) obligations to address security issues in their products, then this obligation MUST apply to all the parties in the chain."

Corporations, not only Apple and Google, have only one moral obligation: profit. Everything that they do has to be understood from that point of view. The same applies to ISPs, BTW.

The combinations "moral company" or "ethical company" are oxymoronic.

The biggest triumph of companies like Apple and Google is that they have managed to convince large portions of the population that they are altruistic nonprofits. They are not. Nobody had a problem seeing profit as the ulterior motive in IBM and Microsoft, but for some reason thinking is clouded when it comes to Google and Apple.

Let's recap:

- Google's spying made the NSA work so much easy that all the NSA had to do is to work with its GCHQ pals to collect the data on Americans from the European fiber optics endpoints. To be fair to Google, it didn't do this to help the NSA, it did it to make 90 billion dollars a year out of data mining people's lives. I am not the first to not that the so called "shared economy" is a new name for communism and indentured servitude.

- Apple has been at the forefront of stifling innovation with a dual approach: stealing other people's breakthroughs that they present as their own to their fan base and suing competitors with the backing of the most stupid patents the USPTO has ever issued.

That anybody sees altruism in the above is beyond me.

AnonApril 6, 2017 11:08 AM

Android is open-source!!!

I have read this in various comment sections of news sites. Despite people repeating this ad nausium, I've yet to see it actually work whereby someone fixed an issue and supplied or did an OTA update.

This fallacy that OSS is better really needs to stop. It is at best mis-leading, and at worst dangerous, because people constantly fall into this trap of believing their software of choice is more secure - this is not true.

Apple, evil empire of the world according to some, has released an update. Google has not. Why not?

WinterApril 6, 2017 11:09 AM

"If an OS vendor chooses NOT to make their new OS work on older hardware, they should still be required to provide security fixes."

Translated to IoT devices, I do not see why it is not the company that sells the device is responsible for giving the users the ability to upgrade.

Your suggestion means that absolutely NO ONE can deliver OS' for IoT devices. That might look like a good idea, but I doubt it.

WinterApril 6, 2017 11:14 AM

@Anon
"Despite people repeating this ad nausium, I've yet to see it actually work whereby someone fixed an issue and supplied or did an OTA update."

The patches are there, but users cannot update their mobile phones. They do not have root access, you know.

rApril 6, 2017 11:21 AM

@winter,

And you're certain this covers our 5's?

@all,

This looks like an over the air update to me already.

AnonApril 6, 2017 11:23 AM

@Winter:

I don't understand your first comment about IoT. If I buy Google Pixel phone, it doesn't matter where I bought it, right? So I should be able to go to Google's website and update it and not rely on my phone provider of choice to do it. Ergo, it should be the manufacturer that is required to provide updates, and not leave it up to a down-stream 3rd party.

As for your second comment, I know this is currently the case. Especially when it comes to Android devices, and everyone saying how open-source means you can do anything, I find it particularly jarring that it isn't actually true due to the root access problem. As we know, locking users out of root does not increase security, and in fact reduces it.

MichaelApril 6, 2017 11:29 AM

@Steve B
Just housekeeping: the point you mention as being mine actually belongs to first post, from "Who?" It looks like Bruce's reply attached to my post and not the one penned by "Who?"

@only tyrants censor
I don't think I can claim to have been a cool guy growing up. I don't think I can agree with "morons" so much as uninitiated. I'm trying to select a term that recognizes that the users of technology are using the technology as a tool in service to an end. Infosec is a complex discipline. Technology users often have complex disciplines of their own. I let others be experts on my, say, gastroenteralogical decisions, or my legal decisions. I am not a lawyer, and I am not a doctor, and it's as unreasonable to expect me to be one of those as for them to have to carry the expectation that they're infosec professionals. My hope is that labeling would just put in the forefront the five or six bits of information an infosec expert would hope a buyer would have. "When it comes out of the box, it'll be six months out of date. It's never going to get the next version of Android. It will get monthly patches to this version of Android until December 31, 2019, after which, you should reduce your trust that it'll be a safe device."

@Dirk Praet
Fair point about iOS. Still, I see we're agreed that iOS updates are better than Android. I should point out that my position re:labeling wasn't about how to fix Android. It was about helping to establish information parity to help the free market select for security. If this tablet from Asus is going to get patched till 2018, and that one from Motorola will be patched till 2020, that's a good thing. Breakfast cereals complete on whole grains, they compete on fiber, but they also compete on toys. If the market knows a tablet is insecure, they may not care.
Still, good information re: CopperheadOS et al.

Bob Dylan's Runny NoseApril 6, 2017 11:29 AM

Corporations, not only Apple and Google, have only one moral obligation: profit. Everything that they do has to be understood from that point of view.

I wish people would think about this truth more. The only duty a corporation has is to its shareholders. Every other duty a corporation has is derivative of this duty, including the duty to obey the law.

"The same applies to ISPs, BTW."

This is not necessarily true as it is the core of the "common carrier" debate in the USA. An ISP can be a public utility (and IMO should be a public utility). Not all companies are created equal in the eyes of the law.

"That anybody sees altruism in the above is beyond me."

It is not beyond me. People are naive. Look at the people who trusted the VPN service "Hide My Ass" to hide their ass and as soon as the FBI came calling sold out their users.

https://www.theatlantic.com/technology/archive/2011/09/lulzsec-hacker-exposed-service-he-thought-would-hide-him/337545/

One would think that people would not be so naive as to put their life in the hands of someone who owes them no duty whatsoever. One would be wrong. FWIW that VPN is still in existence and still going strong.

AnuraApril 6, 2017 11:36 AM

@Anon

As we know, locking users out of root does not increase security, and in fact reduces it.

There are many reasons carriers block root access, none of it has to do with security. Verizon, for example, makes it so you can't get rid of certain notifications like the wifi notifcation if you buy their contract phones, in order to try and get you to connect to wifi just out of annoyance that the stupid thing keeps popping, since using wifi doesn't cost them anything.

I've also noticed that they are making it take longer and longer to check voicemail - another notification you can't get rid of if you don't root the phone, but in this case you can't even make it go away temporarily - which I assume is to try and make people so annoyed that they pay for visual voicemail.

That's on top of all the spyware, and the stupid apps that companies pay them to install on your phone. The goal is to try and control your devices to manipulate you for the sake of squeezing as much money as they can get out of you.

only tyrants censorApril 6, 2017 11:58 AM

@Bob Dylan's Runny Nose

"One would think that people would not be so naive as to put their life in the hands of someone who owes them no duty whatsoever. One would be wrong. FWIW that VPN is still in existence and still going strong"

This is a very profound statement. And with many profound truths in life, once can find that the Bible mentioned it first. I think that a lot of people in this crowd will find the first chapter of Ecclesiastes very enlightening:

https://www.biblegateway.com/passage/?search=Ecclesiastes+1&version=ESV

Trusting that any thing done by humans will bring spiritual salvation is a futile exercise.

This doesn't mean that we should become cynics and see bad intent in everything others do, however, when there is clear evidence of a conflict of interests, it would be naive to blindly trust anybody.

For example, when EFF gives its highest marks to Google and Facebook when it comes to privacy while public records show that EFF has gotten funding from both, you have to highly question their rating.

For example, when a simple search shows many videos of Bruce being invited to talk at Google campuses and he being reluctant to tell them in their face that they are the biggest threat to online privacy we currently have in the planet, you have to question whose side Bruce is when it comes to matter that involve Google.

Who?April 6, 2017 12:03 PM

@ Steve B

If we contend that both Apple and Google have moral (if not legal) obligations to address security issues in their products, then this obligation MUST apply to all the parties in the chain.
[...]
Every time this patching argument arises, it seems to turn into a Google vs Apple discussion, but the bigger story is that the manufacturers and mobile operators are hiding behind these arguments, and will continue to do so until such time as a case is brought against them for negligence.

Of course, it is not a Google vs. Apple discussion, this one is a serious problem that affects the entire industry. I was just focusing on the fact Google seems to despise the security of its customers if it means an increased profit on the next year.

I agree with Michael about using a mandatory security labelling for networking products. We need a serious approach to security that affects all the industry, we need a verifiable compromise from manufacturers to support their products for at least ten years. It is not like asking for "new features for a decade," we are asking only to backport the security patches so these devices remain secure.

AnonApril 6, 2017 12:09 PM

@Anura:

Many Android phone warranties are linked to whether the user did something to gain root priviledges. The Telco's argue it is to secure the device, which isn't true, hence my comment (it's really about control).

WinterApril 6, 2017 12:29 PM

@Anon
"If I buy Google Pixel phone, it doesn't matter where I bought it, right?"

Sorry, but your provider has, most likely, replaced the image running on the phone. They also have locked down the phone. Therefore, they are the ones legally responsible for the software on the phone.

WinterApril 6, 2017 12:43 PM

@r
"And you're certain this covers our 5's?"

No, I just saw that there was a system update today. I have no idea what is in it. But, I do not know of any reason for Google to give out a press release and an update on the same day and not covering the bug in the update.

But I can be wrong about this.

Dirk PraetApril 6, 2017 1:01 PM

@ Who

I agree with Michael about using a mandatory security labelling for networking products.

I don't really believe in "golden security" labels. Legally requiring a reasonable period for security updates or even making it mandatory to publish in bold such period (if any) on product and packaging would already by a huge step in the right direction.

@ Anon

As we know, locking users out of root does not increase security, and in fact reduces it.

What gives you that idea? In general, giving ordinary users (or processes) root is a recipe for disaster. That's why pretty much every vendor, even of COTS OS'es, has turned away from it and those with RBAC have even made it a role rather than a user.


@ Moderator, @ only tyrants censor (AKA @infuriating double standards thingie)

Look, Bruce cannot have it both ways

Actually, he can. If you come to this blog expecting a crowd of alt-right supporters all in favour of deregulation and a host furiously lashing out at anyone and anything he has issues with, you're in the wrong place to begin with. Our host is very much entitled to his opinions, whatever they are, and however controversial you may find them. It's his blog. Full stop.

Secondly, however much your 1st Amendment rights allow you to rant to your heart's content, neither our host nor anyone else here are under any obligation to listen to them. It's our host who determines the rules of engagement, not you. If you don't like them, start your own blog.

It's not any different in a club in meat space: no insulting the barkeep or pissing on the dance floor. And when the bouncer asks you to leave, you leave. Returning the next day wearing solar glasses and a fake moustache does not change that. Which goes both for yourself and yesterday's other joker who previously got banned under the @Trump Supporter moniker.

My InfoApril 6, 2017 1:18 PM

Many Android Phones Vulnerable to Attacks Over Malicious Wi-Fi Networks
... the firmware running on Broadcom's wireless system-on-chip ... overflow its stack.

On one hand this is the stupidest thing I've ever heard, and on the other hand, it bears repeating and publicizing until people are blue in the face and ready to lynch the creators and copyright-holders of this "firmware."

RIAA thieves in law own all Wi-Fi firmware, which by federal law must be proprietary and is a felony for the user to repair or replace. All Wi-Fi hardware on which this firmware runs enjoys privileged Direct Memory Access to the main device's (phone's or tablet's) main memory. This is the way they made this shit. This is the way they wanted it. Are you people finally starting to understand?

only tyrants censorApril 6, 2017 1:35 PM

@Dirk Praet

"however much your 1st Amendment rights allow you to rant to your heart's content, neither our host nor anyone else here are under any obligation to listen to them. It's our host who determines the rules of engagement, not you. If you don't like them, start your own blog"

Did I say anything to the contrary of this? There is a difference between the law says -thanks God the US is built on the notion of https://en.wikipedia.org/wiki/Negative_liberty - and what is good for the infosec community. Simply put, Bruce cannot have it both ways: being a puppet of Google and then go around pretending he deeply cares about our online freedom and rights. It doesn't fly.

ModeratorApril 6, 2017 1:45 PM

@only tyrants censor AKA @I find the double standard infuriating: Again, please take your fury elsewhere.

My InfoApril 6, 2017 1:57 PM

@Dirk Praet

As we know, locking users out of root does not increase security, and in fact reduces it.

What gives you that idea? In general, giving ordinary users (or processes) root is a recipe for disaster. That's why pretty much every vendor, even of COTS OS'es, has turned away from it and those with RBAC have even made it a role rather than a user.

Very true. However, the Owner of the device (who paid certain Monies to the Vendor of the device in exchange for a lawful transfer of ownership and legal alienation of said device in a commercial transaction otherwise known as a Sale) needs some way to access root on the device, preferably by following instructions in the Owner's Manual that should have accompanied the device when it was sold. Otherwise, the Owner is definitely pressing criminal charges for Fraud against the Vendor of said device.

The Owner's role as an ordinary user doing ordinary tasks certainly should not need root access.

It's not any different in a club in meat space: no insulting the barkeep or pissing on the dance floor. And when the bouncer asks you to leave, you leave.

@Moderator: Please. In such a *ahem* district, one must carefully assess the alcohol content, purity, and quantity of the beverages served by the "barkeep" before levying such serious criminal charges as "pissing on the dance floor" ....

ab praeceptisApril 6, 2017 3:02 PM

Bruce Schneier

... Google ... and [I] had forgotten that they're making their own phones now.

Do they really? I'm not interested enough in smartphone thingies but I seem to remember that they do *not* anymore.

From what I remember

- they sold Motorola (or at least the smartphone unit) again
- their "google nexus" phones are actually built by some of their biggest android player (LG, Samsung, ...).

rApril 6, 2017 5:01 PM

@My Info,

I believe, if you look at replicant - that not ALL devices are structured in that way but as is not indicated that the list is ever dwindling.

Who?April 6, 2017 5:18 PM

@ ab praeceptis

Google provides the software, not the hardware. They choose different corporations to build the physical devices (Asus, LG, Samsung, Motorola, ...), however the hardware strictly follows Google specs. They do not have the required infrastructure to build high quality devices.

Google is a software company that joins effort with multiple hardware manufacturers to build these devices. It is true, however that they sold Motorola to Lenovo two years ago, but they are in the business of selling tablets and smartphones yet, I think.

rApril 6, 2017 5:37 PM

I thought they gutted moto prior tho selling it and that the pixels are an attempt at a vertically merged development stack.

It begs the question.

@winter,

We'll have to deep dive that update/changed.toc ;-)

Google likely only released it as an affront to a declassification of it, i wonder if it was too low laying of fruit post truth.

ThothApril 6, 2017 8:55 PM

@only tyrants censor et. al.

This is Bruce's blog (his digital territory) so he does what he likes including censoring.

You can say whatever you want if you have your own blog, forum or website that you build or register else you gotta follow the owner of the blog/forum/website.

VargasApril 6, 2017 9:04 PM

> Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices

What does "vulnerable devices" refer to? The phones, or just their Wifi chips?

ab praeceptisApril 6, 2017 10:25 PM

what the heck + some other names

For the record: I expressly *laud and welcome* Bruce Schneier/Moderator "censoring" you, alone for the fact that you use multiple names.

As for the matter itself I recommend reading Schopenhauer: Your freedom ends where the freedom of others begins.

Your freedom, for instance, certainly does not include the right to shit on ours by playing your sockpuppet games.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.