
Insecure Transmission of Qualcomm Assisted-GPS Data [CVE-2016-5341] - calferreira
http://seclists.org/fulldisclosure/2016/Dec/19
======
calferreira
Qualcomm has acknowledged the issue as being known since 2014 and has released
guidance for their OEM customers on fixing the issue. The fix includes the use
of SSL servers to retrieve the XTRA and XTRA2 data files, and the eventual
switchover to the new XTRA3 data format which includes a digital signature as
described above.

Google has acknowledged that this issue affects the Android OS. A fix for this
issue is included in the December 2016 Android bulletin.

Apple and Microsoft have indicated to us via email that GPS-capable devices
manufactured by them including iPad, iPhones, etc. and Microsoft Surface and
Windows Phone devices are not affected, since they use an internal secure
delivery mechanism for this data, and do not retrieve data directly from
Qualcomm’s servers.

