It's 2017 and you can still pwn Android gear with Wi-Fi packets – so get patching now

As researcher pleads with you not to brand bugs with a logo

A security researcher has turned up new ways to silently hijack and infect Android devices via malicious Wi-Fi packets over the air.

Scotty Bauer, a Linux kernel developer, described in detail on Monday how he found a bunch of exploitable programming blunders in the qcacld Wi-Fi driver that supports Qualcomm Atheros chipsets. These chips and their associated driver are used in a number of Android phones, tablets, routers, and other gizmos, including some Pixel and Nexus 5 handhelds, for wireless networking.

In an effort similar to Gal Beniamini's work scrutinizing Broadcom's insecure wireless technology, Bauer went looking for low-level remote-code-execution vulnerabilities in Google-powered gadgets, found them, and reported them so they can be addressed.

The result of that effort is some juicy security fixes that were released on Monday by Google. These need to be installed on vulnerable Android devices to protect them from attacks leveraging the now-documented bugs.

Essentially, it is possible vulnerable Android gizmos can be secretly commandeered by nearby hackers via Wi-Fi due to flaws in the aforementioned wireless driver code, originally developed by Qualcomm Atheros. So check for updates from Google, via the Settings app, and install this month's Android security updates if or when they are available for your devices.

Whatsapp running on an iPhone

Over a million Android users fooled by fake WhatsApp app in official Google Play Store


Bauer explained that since Qualcomm uses a partial SoftMAC – that is, at least some of the MAC layer is implemented in software – “the source code for handling any sort of 802.11 management frames must be in the driver and is thus available to look at.” In other words, it is possible to study the code and figure out the right management frames to send to a nearby victim's device to trigger the execution of malicious code, leading to crashes or the installation of spyware.

Bauer's “first and best” bug in the mammoth driver – which is 691,000 lines of code – is in the dotllf.c file “tasked with parsing over-the-wire packets to a C-style structure.” This flaw, labeled CVE-2017-11013, is a classic buffer overrun, and a potential remote-code execution hole. It was fixed on Monday by Google.

Next on Bauer's list of discovered bugs is a pair of programming cockups that can cause the code to get stuck in an infinite loop, one of which hasn't been publicly identified yet because there was an error in the patch for it, and a “new fix is in the works” to fully correct it. The other denial-of-service flaw that has been publicly disclosed, CVE-2017-9714, does have a patch available to correct it: that was released in October.

Another bug found by Bauer and fixed on Monday this week, CVE-2017-11014, is a cockup in how an access point's neighbor identification broadcast packets are processed. It's another buffer overrun: an attacker sending malicious APChannel data to a target can push 100 bytes into a buffer provisioned for eight bytes, triggering a crash or a potential execution of malicious code.

The last of Bauer's disclosures this week, CVE-2017-11015, also potentially allows an attacker to gain remote code execution on a handset by exploiting a mistake in a vulnerable Android phone's portable access point capability. A specially crafted challenge packet, sent by an attacker, can potentially push 253 bytes into a challenge text memory space that's just 128 bytes long. Again, a patch for this was released on Monday by Google.

Any code injected into the driver and successfully executed, by bypassing any builtin protections, will run at the kernel level, giving it total control over the device.

Bauer promises another bunch of bug discoveries in December on his website, linked above. He's also asked that the flaws he finds not be named or branded with a logo. ®

PS: There are many other security issues fixed in November's Android patch batch, so even if you likely don't have the aforementioned vulnerable wireless chipset, you should grab the update anyway as soon as it arrives for your device. We'll cover them all this week.

Other stories you might like

Biting the hand that feeds IT © 1998–2022