
Android devices can be fatally hacked by malicious Wi-Fi networks - leephillips
https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/
======
ams6110
FTA: _The Broadcom chipset contains an MPU, but the researcher found that it
's implemented in a way that effectively makes all memory readable, writeable,
and executable. "This saves us some hassle," he wrote. "We can conveniently
execute our code directly from the heap."_

How in this decade, with all we know and have learned about security and
exploits, can this kind of thing still happen?

~~~
bsder
How much money will this cost Broadcom? Exactly zero.

So, why should Broadcom care?

~~~
RachelF
In fact, they may make money off it, if the only mitigation is to buy a new
phone.

~~~
la_oveja
This has already been patched via software update.

~~~
IshKebab
And the patch has been distributed to 0.5% of people affected.

~~~
Pica_soO
For android- that is a very good upgrade coverage.

------
G3E9
What's the possibility of using this exploit to patch the vulnerable Android
systems?.. or to root the phone? It'd be an interesting solution against the
time we'll have to wait for carrier services/manufactures to straighten
themselves up.

(Say, if, oh I don't know... Knox and My Verizon got disabled or removed,
Verizon would have no proof to void my warranty. It was Starbucks' wifi,
promise!)

~~~
userbinator
That thought occurred to me too --- root the phone, patch the exploit, tell
the user they now have full control, and don't do anything else malicious.

It's somewhat amusing to consider that giving the user full control of the
device he/she owns may be regarded by some as malicious...

~~~
TACIXAT
The risk is if your payload is not perfect in all cases. Taken to the extreme,
you brick a mission critical device and cost a life. This is why malware
researchers don't write clean up code once they do C2 takeovers. If their
cleanup command wrecks a medical device or some other ancient box still
running XP, that's a lot of liability.

------
exabrial
We really need a release of Android that allows driver updates via
manufacturer packages and the app store. This is terrible.

~~~
djsumdog
It's not going to happen. Google makes a ton of money off the fact that people
dispose cell phones ever two years, so they're never going to patch their
insane OS model. I write about it a bit here:

[http://penguindreams.org/blog/android-
fragmentation/](http://penguindreams.org/blog/android-fragmentation/)

..but the gist is that ARM isn't a PC. There's no platform. You've got random
pins connected to random shit and only a subset of devices that use Device
Tree. Even the ones that do still tend to have a ton of binary blobs and weird
kernel patches that can't be up-streamed.

In a way, Windows/x86 makes a lot more sense. You have a base operating
system. Any time you buy a new machine, you can wipe it, install the drivers
and you've got a nice bloat free OS (until Win10 Advert edition anyway).

You can't just run AOSP. There have been cases where AOSP releases on master
have failed to compile or require binary blobs. Maybe this weird Fuchsia crap
Google is working on will provide a standard/stabilized kernel an ABI, but I
wouldn't count on it.

At least Microsoft phones required UEFI, but they have locked bootloaders. If
we wanted decent 3rd party fully open operating systems, I'd say the old Nokia
devices would be the way to go if the bootloaders could be cracked.

~~~
djrogers
> Google makes a ton of money off the fact that people dispose cell phones
> ever two years

I've never seen any indication the google makes a PENNY off of someone
disposing of their cell phones.

~~~
zaroth
Of course Google profits in many ways from more people having the most
powerful smartphones possible.

Throwing away an old phone and buying a new phone doesn't have to _directly_
fund Google for it to be undeniably profitable to Google.

That's not to say at all that Google is trying to arguably brick people's
phones to force them to upgrade more. That makes no sense at all. They just
don't have enough control over the ecosystem to fix the upgrade problem.

------
mintplant
What's murky to me is how to tell whether I'm affected. I have a BLU R1 HD
from Amazon which GSM Arena reports [0] has a Mediatek MT6735 SoC. Does that
mean I'm in the clear? I don't see any mention of Broadcom components, but I
guess there could be one packaged into something on the list.

[0]
[http://m.gsmarena.com/blu_r1_hd-8171.php](http://m.gsmarena.com/blu_r1_hd-8171.php)

~~~
ReverseCold
This is why you either buy an iPhone, Pixel/Nexus, or learn how to port the
patches from Pixel/Nexus to your own device.

You could also trust someone on XDA, but that involves trusting a random
person.

Android security is abysmal.

~~~
bostand
Please, software is not perfect, you find bugs you fix them.

And for the record, macbooks had a _very_ similar issue with intel wifi
drivers not that many years ago.

~~~
dep_b
The big difference is that all affected MacBooks will get a patch if something
like this happens.

~~~
bostand
IIRC Apple tried to discredit Maynor instead of fixing the problem.

Also, remember that this new vulnerability was found by Google not Apple...

~~~
zwily
So? Most iPhones are patched already, or soon will be.

------
uam
Discussed here previously:
[https://news.ycombinator.com/item?id=14034092](https://news.ycombinator.com/item?id=14034092)

------
bitmapbrother
Remember Stagefright? What ever happened to that? The bloggers promised us all
an impending Android security armageddon (and you didn't even have to be on
the same WiFi network as this one requires). According to Google's SafetyNet,
that gathers telemetry from over 1.5 billion devices, not 1 occurrence of
Stagefright has ever been seen in the wild. Think about that for a second.

It turns out developing an exploit, chaining it with other exploits to get
around the Android security mitigations and then trying to make it work on
devices running different OEM builds of Android was more difficult then people
originally thought.

Moral of the story? Next time you hear horror stories about how susceptible
your device is to an exploit just remember Stagefright and what a dud that
turned out to be.

~~~
nikanj
Stagefright could be filtered out at operator/app level, unlike this.

~~~
bitmapbrother
Not really. Unless the carrier prevented the sending of MMS messages there
wasn't anything they could do. About the only change made to most apps was to
set the MMS auto play setting to off. Stagefright never amounted to anything
due in most part to the Android security mitigations and the differences in
each version of Android built by the OEM.

~~~
nikanj
Wait, are you saying MMS messages are direct peer-to-peer? My understanding
is, they go through the operators' MMS servers, where all sorts of antiviral
activities can take place.

------
MBlume
I'm unclear -- does the victim have to actively connect to a malicious
network, or does work even if the victim is unconnected/connected to another
network?

~~~
msgilligan
> By using the frames to target timers responsible for carrying out regularly
> occurring events such as performing scans for adjacent networks, Beniamini
> managed to overwrite specific regions of device memory with arbitrary
> shellcode.

This implies that the exploit can happen when the phone is just scanning for
list of available networks.

~~~
Neeek
>Two of the vulnerabilities can be triggered when connecting to networks
supporting wireless roaming features; 802.11r Fast BSS Transition (FT), or
Cisco’s CCKM roaming.

From reading the actual Project Zero post yesterday, the exploit was figured
out using the fast BSS transition which I think is for high frequency p2p
transmission, i.e. sending a video to your Chromecast. So you still have to be
connected to the same network.

[https://googleprojectzero.blogspot.com.au/2017/04/over-
air-e...](https://googleprojectzero.blogspot.com.au/2017/04/over-air-
exploiting-broadcoms-wi-fi_4.html)

------
darklajid
"Smarter Wifi-Manager" might be a way to mitigate this, I hope. And probably
is a good idea in general.

~~~
rickdg
Or just, you know, Tasker.

------
pabloski
iOS devices too. Apple uses broadcom wifi chips too.

~~~
AdamGibbins
They patched it in the last release. [https://support.apple.com/en-
us/HT207688](https://support.apple.com/en-us/HT207688)

How many years is it going to take for all the android phones to get
patched....

~~~
kyrra
Nexus/Pixel phones have already been fixed:

[https://source.android.com/security/bulletin/2017-04-01.html](https://source.android.com/security/bulletin/2017-04-01.html)

~~~
Terr_
No, they may have a build, but it's not available yet.

My Nexus (5X) says the most-recent update (security or otherwise) is dated
March 5th.

~~~
ReverseCold
Yup. [https://i.imgur.com/cjgS5GZh.jpg](https://i.imgur.com/cjgS5GZh.jpg)

~~~
StavrosK
Nope, I just got 7.1.2 an hour ago on my 6P and am installing it now.

------
rtkwe
Well that's one of the more terrifying exploits to come out recently.

------
amag
Total phwnage!

Setup a malicious wifi hotspot in a busy place and phwn away. You don't need
to target anyone in particular, just wait and see what you got...

------
cmurf
This is an exploit within the wifi driver? So on iOs this would be a kext, and
Apple controls all of that, so they can update and resign the kext and issue
it in an update.

Whereas Google can't do that; it'd be up to the handset manufacturer.

Is this an example of the problem Google faces using the Linux kernel in
Android? It cedes the kernel to the manufacturer, and wifi (and bluetooth etc)
drivers are all kernel space, not user space. So Google can't really do
anything here can they?

~~~
izacus
They can and they did - they pushed the update to Nexus and Pixel devices.

~~~
emodendroket
I know this is a well-rehearsed complaint at this point but having OEMs
customizing Android to the point where it can't be updated was a real mistake.

~~~
StavrosK
I don't think customization is the whole problem. Sounds like different
hardware is (most of) the problem, as it needs drivers.

~~~
emodendroket
I mean, Windows has way more drivers than Android and yet somehow I don't have
to wait two years for hardware vendors to come up with special versions of
Windows updates. Is that really an insurmountable problem?

~~~
vetinari
Windows Phone doesn't run on a fraction of SoCs that Android does. You are
basically limited to a Snapdragon and that's it. There is no such rich
ecosystem like in Android, ranging from MediaTek to Nvidia.

~~~
huxley
Parent was referring to Windows on desktops and laptops

~~~
vetinari
If he meant PC-compatibles, that's even worse. Desktops and laptops have
something common: BIOS or UEFI, which standardize both boot process and
plaform services, and enumerable buses like PCI. Nothing of this sort is
available for ARM/Sparc/whatever boards.

It's like criticizing Windows, that it doesn't run on Chromebooks or PPC Macs.

~~~
emodendroket
I'm not a systems programmer, much less a hardware designer, but it seems to
me like if it has been done once it can be done again.

~~~
vetinari
The issue is not whether it is possible or not. Of course, it is possible.

The issue is whether it will result in better product, where better is defined
as "will it sell more?". Your average cellphone buyer does not care about
that. But he cares about thinness and battery life, which would be affected by
a more universal platform.

Imagine a 3D chart, where one axis is battery life and small-sized hardware,
second is versatility, third showing the sales, with a curve going through,
showing a compromise between two trade-offs and total sales for that
compromise. We are currently in one point, with few people arguing to change
the position to another point, completely ignoring these two other axes.

------
dullgiulio
Honest question: Why is RADIUS not more widely used? Is it because of limited
AP hardware resources?

~~~
brazzledazzle
It's not uncommon in enterprise networks but it's a PITA to setup and use at
home (for most people).

~~~
user5994461
It's the standard for (big enough) enterprises.

The low cost access points don't support it. It's standard on (more expensive)
enterprise hardware.

~~~
brazzledazzle
I would call those SMB networks, not enterprise. But even so I'm kind of
surprised by that since even some crappy home gear I've purchased has RADIUS
support buried in advanced settings.

------
loph
no headline bias there. ios devices were vulnerable until patched, very
recently. the patches are built for android and it's up to the device
manufacturers to get them into the wild.

------
logicallee
Overall I like our title (currently "Android devices can be fatally hacked by
malicious Wi-Fi networks") but "fatal" has a specific meaning (causing death)
so isn't there some other word in place of that one that could be used here?
It is certainly evocative of how dire this is but I feel like a different word
might be more specific without losing gravity.

