Categories: News

New security bug found in Android


I am constantly amazed by the amount of security flaws found in, well, not just Android, but all software. A new flaw has been found by Google’s Project Zero team which allows an attacker to take over a device without any interaction from the victim.

The bug, which also affected iOS but has already been patched, is associated with the Wi-Fi Broadcom chipset used in iOS and Android devices. It allows the execution of any malicious code “by Wi-Fi proximity alone, requiring no user interaction.” The flaw allows someone who is on the same Wi-Fi access point to execute code on other devices.

Project Zero researcher Gal Beniamini said that the “lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target.” Due to the complexity of the firmware implementation of the Wi-Fi SoC it lags behind with respect to security. It lacks a lot of basic security provisions which makes it a prime target for exploitation.

This current flaw, which doesn’t have a cool name just yet, has been patched in the newer versions of the Broadcom chipset but for now we will have to rely on the Android manufacturers to fix this vulnerability in their security updates. Hopefully we will see this bundled into the May security patch which seems a long way away given the severity of this vulnerability — and remember the Google security patches are for Pixels and Nexus devices only.

At this stage there is no work around for vulnerable devices, especially when it has been shown recently that even when Wi-Fi is turned off Android devices often still relay Wi-Fi frames which allows someone to exploit this vulnerability. How long your device is vulnerable depends on the device’s manufacturer issuing security patches. Some are better than others but it is certainly something you should take into account when considering your next device purchase if security is important to you.

Until then the best advice would be to avoid unknown Wi-Fi networks and be careful if you are using a public Wi-Fi access point. Hopefully Google releases the patch in the next security update with other manufacturers to follow soon after.

Source: ArsTechnica.
Ausdroid's Deputy Editor in Chief
Scott Plowman

Scott is our modding guru - he has his finger on the pulse of all things ‘moddable’, pointing us towards all the cutting edge mods hacks that are available. When he’s not gymming it up, or scanning the heck out of Nexus devices, you'll find him on the Ausdroid Podcast. Outside of Ausdroid, Scott's a health care professional and lecturer at a well known Victorian university.

View Comments

  • Ausdroid's advice is insufficient. As per the source Ars article - this is a bug in the Wifi SoC firmware and all that is needed is for the Wifi to be searching for networks. Avoiding connecting to unknown networks doesn't help. Unless the phone's Wifi is properly, completely off then the bug can be exploited. Additional Android bugs get this out of the wifi firmware and into the core OS.

    April security patches fixing it is all very well - but this SoC / firmware is in quite a few phones, some of which aren't getting security updates anymore - or at least not frequently.

  • "and remember the Google security patches are for Pixels and Nexus devices only."

    Not true, and Sony have been particularly good at keeping their devices updated with the monthly patches, only a month or so behind which is a damn lot better than most other manufacturers. My Xperia Z5 has the March security patch.

    • Your security patch was issued by Sony though, not direct from Google, hence the article is correct. As you say, Sony has been pretty good at rolling out the security updates in a very timely manner. Not many other manufacturers achieve that, or even try.

Leave a Reply

Your email address will not be published. Required fields are marked*

Share
Published by
Scott Plowman
Tags: Security

Recent Posts

  • Hardware
  • News

Google Home Hub goes on sale October 23 – here’s what to expect

If you couldn't guess, we're pretty excited for the release of Google's new Home Hub across Australia tomorrow. It's the…

8 hours ago
  • News
  • Tablets, Laptops and Chrome

Chrome OS jumps into a slice of Pie for Android

Google's implementation of Android on Chrome OS has been updated, with the underlying Android layer receiving an update to Android…

18 hours ago
  • Mobiles
  • News

Try out the new Google Pixel 3 Group Selfie feature at Sculpture by the Sea, Bondi from this Thursday

If you're looking to check out a Google Pixel 3 before the Pixel 3 hits the streets on November 1st…

19 hours ago
  • Mobiles
  • News

Kogan Agora 9 launching next month with 4,000mAh battery for $169

Discount online electronics retailer Kogan has today started pre-sales for their latest Agora branded handset, the Agora 9, with the…

20 hours ago
  • Around the Home
  • Smart Accessories

Amazon Echo Plus a great way to get into smart home automation

Amazon's Alexa speakers and Google home compatible speakers have similar capabilities in many areas. However in the area of home…

20 hours ago
  • Around the Home
  • Hardware
  • Reviews
  • Smart Accessories

LG WK7 ThinQ Speaker – Australian Review

The WK7 ThinQ is LG's latest smart speaker with built-in Google Assistant capabilities. LG have succeeded in designing it in…

21 hours ago