Poisoned wifi signals can take over all Android devices in range, no user intervention required

Vulnerabilities in the Broadcom system-on-a-chip that provides wifi for many Android devices mean that simply lighting up a malicious wifi access point can allow an attacker to compromise every vulnerable device in range, without the users having to take any action — they don't have to try to connect to the malicious network.


Iphones are also vulnerable to the attack, but Apple issued a patch for them on Monday.

Android updates are only available for "select devices" and can be up to two weeks away, or longer, depending on your carrier.

Part of the problem is that Broadcom's security stinks, lacking "all basic exploit mitigations—including stack cookies, safe unlinking and access permission protection (by means of [a memory protection unit.])"

The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom's wireless system-on-chip to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode. Beniamini's code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.


Android devices can be fatally hacked by malicious Wi-Fi networks
[Dan Goodin/Ars Technica]


(Image: Bill Ward, CC-BY)