Poisoned wifi signals can take over all Android devices in range, no user intervention required


Originally published at: http://boingboing.net/2017/04/06/wifi-proximity-alone.html


And of course for US carriers the patch will come with all that delicious new spyware Congress just authorized, so there’s no winning with this situation.


Would the attack work even if a phone’s wifi is turned off? From the wording on what’s on the BB post i gather that the user doesn’t need to connect to the network, but didn’t specify if wifi had to be enabled for it to work.

Edit: Ok i skimmed through the original article and toward the end it says that disabling wifi may not be sufficient as some phones may still send some wifi data even with wifi disabled. I would presume turning off data on the phone may do the trick but that seems like a hassle unless you knew for sure that particular hot spots were infected.


No. The article mentions that the attack requires activity like the periodic scanning for adjacent networks, which does not happen when wifi is off.

EDIT: Note, however, that android’s Location Services can be configured (by the user, and absent user intervention possibly by default) to include periodic wifi scans, even when the user has otherwise marked wifi “off”. So, in addition to keeping wifi off when not home, configure location services to either be off or to NOT include wifi scans.


From what i read it’s a maybe

“devices often relay Wi-Fi frames even when Wi-Fi is turned off.”

My phone received an update today coincidentally, i wonder if it patched for this exploit??


Yeah, but fuck that walled garden Apple provides and fixing this immediately.


Title: "all Android devices"
Article: "many Android devices"
Linked article: “a broad array of Android phones”

Not all Android phones have Broadcom chips (Samsung dumped them for instance, so earlier Galaxy S7s have them and later ones don’t).

Both Apple and Google issued fixes within a day of the exploit being published by the Google researcher who discovered it. OS updates being at the whim of manufacturers/carriers is certainly an issue though.


Footnote: “Well okay, we haven’t actually found one yet…”


:slight_smile: We just wrote the same thing at exactly the same time, with the same “EDIT” lead-in. Doppelganger.


Agreed. Fuck Apple’s walled garden. This has nothing to do with the walled garden (it’s about Apple’s ability to distribute patches due to their iron fisted control of the OS), and, regardless, it doesn’t make said iron-fisted control worth it even so. Fuck them.

Ditto Windows; their ability to patch Windows (often just when user wants to make presentation!) doesn’t make them a better ecosystem than linux. It DOES make them an easier sell to otherwise-clueless grandmas who can barely type, but that’s just an example of someone technologically illiterate paying the price in security.


Hardware security is a race to the bottom. Monopolies and oligopolies hiding behind patent law to prevent their crap from going open source… with the internet of shitty things, we are going to see a lot more of this, to the point where one has to ask the question why to even bother with software security, when it is running on a hardware that is secure as a sieve?


I’d say that most of the android world is far more of a walled garden than iPhone. At least with the iPhone you know what you are getting. And this includes an operating system from a manufacturer that has stood up to authorities looking to go fishing any chance they can get and cry out about patriotism when they aren’t allowed to do warrantless searches. They have been known to exit marketplaces where they were asked to abandon this belief. Android? It is a system DESIGNED to market your information to the highest bidder from the outset and the only times Google gets upset about this is when a third party manufacturer decides they want to sell this information and cut Google out of the profits.

I’m personally happy to have a walled garden where I know the boundaries, as opposed to one where I can pretend to have freedom all the while being locked into a cage much tighter. Good luck getting hardware keys to unlock your phones to take out the spyware!


How many alternate ROMs for iphone exist, and what are their download/usage numbers? Just curious.


I’m pretty happy with my android phone. There is some bloatware i wish i could get rid of, and i probably could, but for the sake of not rooting my phone i leave it as is. Frankly the OS works great for me and my particular needs.

It’s entirely possible i may be just as happy using an Apple device, but i like the flexibility of the Android platform.


How many of those alternate ROMs are going to fix the problem, and how long is it going to take? How many Android phones will never be patched?

I’m surprised Corey even mentioned that iPhones already have a fix, given that he likes to put Apple down any time he can. Anyone know what phone he uses?


Yikes. That’s the question I wanted to ask, glad you found the answer. I had been thinking a stingray was my worst threat model, now it seems nothing short of a faraday cage is going to be completely safe!


Beniamini’s code does nothing more than write a benign value to a specific memory address.

I suppose that means a practical exploit would require it to be possible to “take over all Android devices in range” merely by writing a malicious value to a specific memory address. Is there not sufficient variation among Android devices such that no one such specific address exists?


I no longer trust my Nexus 6p phone to give me real “On” and “Off” states for bluetooth or wifi. In the car, where the phone is set to “trust” the car’s bluetooth signal, sometimes I’ll check the phone and see the BT icon lit up and connected to the car (which is also showing the phone’s battery/signal status) despite my never having turned it on.
The wifi does something similar (the wifi wedge icon is displayed on the phone as though it’s connected when I’ve not turned the wifi on). I think it’s got something to do with Google’s ‘whatever’ service that asks users to allow the phone to connected to these radios even without notifying the user to “improve network service” or somesuch. I have that turned off, and yet the phone does these things of its own accord.


Unfortunately, spyware was never restricted by the FCC(it might attract FTC scrutiny; but that’s what ‘voluntary’ agreement through EULAs is for!); while network-level tapping requires no specific software on the client device, which is part of what makes it so pernicious: there’s nothing you can ‘clean off’ to stop it; and it’s 100% silent, unlike client side spyware which has a habit of occasionally slipping up, or at least causing mystery battery drain and suspicious network chatter unless designed with great care.


If ‘location services’(exciting and mandatory even if you have a real GPS chip that could be used without phoning home; thanks a lot, assholes) are enabled, the phone may be doing some listening to get an idea of where it is(and build updated RF maps for HQ). If anything involving ‘beacons’ hasn’t been disabled into a smoking crater, BT may also be going behind your back.

Details aside, though, it all just makes me so tired. ‘Modern’ OSes may be easy to use; but using them is like dealing with a constant, gnawing, sense of motion in your peripheral vision, and the paranoid impression(alas, generally not delusional) that it’s wheels-within-wheels all the way down; and watching figures are flitting around just outside your vision.

Doesn’t solve my phone problems, obviously, but I occasionally have to go back to my OpenBSD-on-relatively-antique-hardware box, just for some time away from the relentless, and not entirely benevolent, automagic. Yes, if I want something to happen, I need to make it so; but at least things stay as you left them; and the ground isn’t shifting under you all the time.