Android phones vulnerable to booby trapped wi-fi signals

 Android phones are vulnerable to attacks that use booby trapped wi-fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used wi-fi chipset manufactured by Broadcom and used in both iOS and Android devices. Before anyone claims it was poor Android programming, the Fruity Cargo-Cult Apple was also vulnerable to the hack but patched the vulnerability with Monday’s release of iOS 10.3.1.

The Google Project Zero researcher Gal Beniamini who discovered the flaw said that an attacker within range may be able to execute arbitrary code on the wi-fi chip.

In a highly detailed blog post Apple said that the flaw  allowed the execution of malicious code on a fully updated 6P “by wi-fi proximity alone, requiring no user interaction”.

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over the air update to those who are eligible.

Company representatives didn’t respond to an e-mail seeking comment for this post. The proof-of-concept exploit uses wi-fi frames that contain irregular values.

The values, in turn, cause the firmware running on Broadcom’s wireless system-on-a=chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode.

Beniamini’s code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.