Android Wi-Fi security issue

In an e-mail today to the Open Source Software Security (oss-security) mailing list, the maintainer of wireless network client code used by Android, the Linux and BSD Unix operating systems, and Windows Wi-Fi device drivers sent an urgent fix to a flaw that could allow attackers to crash devices or even potentially inject malicious software into their memory. The flaw could allow these sorts of attacks via a malicious wireless peer-to-peer network name.

I don’t know if this is code that is maintainable by FairPhone but if so, it might be useful for @anon12454812 and the rest of the Fairphone software development team to look into it.

3 Likes

There are so many security flaws in the Fairphone OS / Android 4.2.2 so that this small additional one doesn’t matter. :-/
And no, FairPhone does not maintain any Android code.

Errr… I don’t believe you are right in that assumption, dear. :tea:
Anyway, the general notion that it’s not good to be stuck on 4.2.2 is acknowleged.

I wouldn’t call that “small”. The impact is not clear yet, but the mailing list article cited in the original posting suggests that the flaw may be exploitable by plain WiFi (without P2P). So, to be clear: You activate WiFi and are 0wned - without doing anything over that connection yet. WiFi is unusable until that is fixed or refuted.

Actually, the problem is not being stuck on 4.2.2, but not being updated. Differently from the WebView problem, patches for wpa_supplicant exist. They “just” need to be pushed to us.

Maybe this App helps

https://f-droid.org/repository/browse/?fdfilter=wifi&fdid=be.uhasselt.privacypolice&fdpage=2

Could we please try to keep in touch with reality? Sweeping statements such as the one cited above are utter b0ll0cks and not substantiated in any way whatsoever.

Yes, there is a security risk here. Probably small, and probably negligible unless you’re on a P2P network. And yes, since it seems to be solved by installing a patched wpa_supplicant package it is something that the FP developers should be able to solve. But suggesting that users should refrain from wifi connections are pushing it a bit too far.

Cheers,
Karl
(on wifi, patiently waiting to be ‘0wned’)

3 Likes

Thanks for your opinion. In your citation you forgot to include my reference to the description of the vulnerability. It’s your unsubstantiated risk assessment leading to “keep calm” against security researchers saying: “potentially arbitrary code execution”, “However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”

I’m not confident that I would detect being 0wned. And I believe that almost all human beings and organizations shouldn’t be.

1 Like

i.e. the oss-security mailing list. OK, let’s see what it says then (my bold italics):

"Attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a suitably constructed management frame that triggers a P2P peer device information to be created or updated.

The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress."

When you from this information infer that “to be clear… wifi is unusable”, it is nothing but an unwarranted, sweeping statement and therefore, in my humble opinion, utter b0ll0cks.

1 Like

Um… what reference?

Sorry, my mistake. I forgot to put “small” in quotation marks. Sure this security flaw is another serious problem. I just wanted to make clear that the webview bugs alone render the current Fairphone nearly useless if one installs any apps from Play Store or any other source. Exploits for webview are in the wild for a long time and it is just a matter of time until getting hit.

https://en.wikipedia.org/wiki/Post-purchase_rationalization

That’s a rather sweeping statement to make. With that, you’re saying nearly 50% of all Android phones currently in use are useless.

https://developer.android.com/about/dashboards/index.html

1 Like

He’s clearly mistaken. All those phone are very useful to anyone who knows how to use the “small bugs”.

Listen, anyone, I know it’s annoying, but can you all try to realise that this debate is leading nowhere? Please?

5 Likes

Us moderators don’t mind you debating anything on the forum, but please make sure you keep it factual and don’t make it personal.

In this particular topic, Jerry was pointing out a security flaw, and I don’t think the original intentions were for this debate to happen, so please be mindful of the intentions of the original poster when you are responding. There are other general topics relating to security on android 4.2.2 already on the forum, and I would suggest taking general debate somewhere like this, unless your comments add specific knowledge or insight into this particular bug that has been posted by Jerry.

Hope you understand where I’m coming from with these comments :sun_with_face:

4 Likes

Yeah I just wanted to use this as a channel of informing the FairPhone devs of this issue.

2 Likes

It seems p2p is enabled by default when wifi is switched on. At least /data/misc/wifi/p2p_supplicant.conf is passed to the wpa_supplicant command line. So this is a very severe security issue that needs to be fixed soon.

I have tried putting p2p_disabled=1 or P2P_set disabled 1 into that config file, but is is rewritten whenever wifi is enabled, so that does not help. There are also config files in /etc/wifi, but those seem to be ignored.

Does anyone know how one can reliably disable p2p wifi on the fairphone?

I don’t want to downplay the risk, but I don’t want to exaggerate either. So I’ll repeat what was said in the OSS mailing list (my bold italics):

The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress."

Unfortunately, it is completely unclear when android executes the named control interface commands. From this advisory http://www.securityfocus.com/archive/1/535356 (bold emphasis mine):

Although much of android devices enable WLAN direct when user enters WLAN Direct UI, but:
We found some models of well-known mobile phone manufacturers (such as Xiaomi, Huawei), default to open the WLAN Direct. Even if the user never entered the WLAN Direct UI, the attacker can initiate a WLAN direct connection and trigger this vulnerability without user interaction. However, an attacker needs to know WLAN Direct MAC address, the address is the MAC address of user equipment with first byte OR 2, MAC address of the user equipment can acquire easily by WIFI packet sniffer, so you can calculate WLAN Direct MAC address, for example the user device MAC address 14: 12: 34: 56: 78: 90, then WLAN Direct MAC address is 16:12 : 34: 56: 78: 90, which means that some models of mobile phone, simply open the WIFI service, can suffer from the vulnerability attack.
For other models without WLAN Direct default enabled need to pay attention, because a lot of file transfer software use WLAN Direct feature and will enable it. And this feature once enabled, even if the user exits the WLAN Direct UI, the feature is enabled until the device reboot or WIFI restart. During this time the device is affected and can be attack remotely.

Even if Fairphone does not listen to P2P requests all the time (I don’t know), the feature could still be switched on by some apps.