WiFi vulnerability on mobile devices

Alex Fraser

3 May 2017 3 May '17

1:52 p.m.

Hi all, About a month ago, we learned that there was a vulnerability in the WiFi firmware on many phones [1]. I didn't know until then that the WiFi device has its own system-on-a-chip (SoC) that runs its own code, and has access to system RAM. The vulnerability apparently allows an attacker to execute arbitrary code in the SoC, and from there take over the entire device [2][3]. Apple, to their credit, patched a range of obsolete devices in addition to current ones [4]. Google seems to only be patching current devices, and it seems unlikely that other Android manufacturers will push out an update to old devices either. The response from the Android community seems to be to bury their heads in the sand [5]. When I asked in #lineageos about it, I got the impression that they couldn't include the patched firmware for my device (although things may have changed). I find this all incredibly frustrating. I have an otherwise perfectly good Nexus 5, which now has to have WiFi permanently disabled. Effectively I need a new phone. A pox on proprietary firmware and impractical update mechanisms! A user on Slashdot said to "vote with your wallet". But there doesn't seem to be a good option: iPhone, which isn't remotely open but at least seems to get patched, or Android, which claims to be open but is closed where it really counts. Is there a practical third option that I'm missing? Sorry for the rant. Is anyone else as frustrated by this as I am? Alex [1] https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadc... [2] https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadc... [3] https://security.stackexchange.com/questions/157336/does-a-compromised-kerne... [4] https://it.slashdot.org/comments.pl?sid=10454409&cid=54183761 [5] https://android.stackexchange.com/questions/172993/ota-wifi-vulnerability-wh...

Show replies by date

Andrew McGlashan

3 May 3 May

3:23 p.m.

Hi, On 03/05/17 23:52, Alex Fraser wrote:

...

About a month ago, we learned that there was a vulnerability in the WiFi firmware on many phones [1]. I didn't know until then that the WiFi device has its own system-on-a-chip (SoC) that runs its own code, and has access to system RAM. The vulnerability apparently allows an attacker to execute arbitrary code in the SoC, and from there take over the entire device [2][3].

IIUC, [1] is a problem even with WiFi "turned off".

...

Apple, to their credit, patched a range of obsolete devices in addition to current ones [4]. Google seems to only be patching current devices, and it seems unlikely that other Android manufacturers will push out an update to old devices either. The response from the Android community seems to be to bury their heads in the sand [5]. When I asked in #lineageos about it, I got the impression that they couldn't include the patched firmware for my device (although things may have changed).

Yes, Apple patch and do it reasonably well on the whole; but they often patch and then need to re-patch to fix the patch. They also don't admit problems unless they have no choice and they can still take too long to patch things. Samsung, uggh, we've got lots of perfectly good gear that sold in the 100s of millions of devices each. Samsung won't patch a device that is still otherwise perfectly good if it is "too old", they want you to buy a new phone. Google will patch much more quickly, but they too have sunsets on the life of equipment that doesn't reflect the true possible real life; hence the perfectly good Nexus 5 and very soon Nexus 6 and 9 won't get further updates. I would like for any device that is manufactured in huge quantity, like all these flagship devices, to get updates for 6 years, unless the number of currently active users drops down too low (perhaps down to million users); anything longer than 6 years would probably be too long (I'll admit that), but anything shorter, well, again, they sell 100s of millions of these devices, so giving support for up to 10 years shouldn't cost them much and it would make the devices worth much more before ending up in landfill, as well as getting more life out of them. Most people don't need to replace phones sooner than 3 or 4 years, some will for all sorts of reasons, but most will just because they can and they are getting the devices as part of salary sacrifice or some kind of tax deduction or just because they don't care if they pay through the nose for a phone by paying too much on a "plan" or even if they think, "who cares, work is paying for it" -- perhaps they could get a small pay rise instead of a brand new shiny phone (too often). There are other good reasons to replace mobiles, most significantly because newer ones are more efficient and they can handle the newer in use radios when the older devices end up not working due to the radios they had used being upgraded to 4G or later (heck even GSM to 3G). Not that many devices will be using 3G, not the newer ones anyway, except as a fallback like GSM was a fallback for 3G.

...

I find this all incredibly frustrating. I have an otherwise perfectly good Nexus 5, which now has to have WiFi permanently disabled. Effectively I need a new phone. A pox on proprietary firmware and impractical update mechanisms!

I absolutely agree, 100%

...

A user on Slashdot said to "vote with your wallet". But there doesn't seem to be a good option: iPhone, which isn't remotely open but at least seems to get patched, or Android, which claims to be open but is closed where it really counts. Is there a practical third option that I'm missing?

Yes, there are not good options if you want to keep a good device in service longer than the manufacturers would like you too.

...

Sorry for the rant. Is anyone else as frustrated by this as I am?

Absolutely. Oh and given the Intel chipset mess from the last 10 years (approx), it's a real problem. I don't want to use computer equipment that has otherwise long past it's useful lifetime. What is it, a 12 year old (approx), X200 to use libreboot? I'm wondering how well Librem is going to do out of this latest outing of Intel.

...

Alex

[1] https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadc...

...

[5] https://android.stackexchange.com/questions/172993/ota-wifi-vulnerability-wh...

I think that given the problem, the only real solution is to junk the phone or at the very least, not trust it more than necessary; of course, for many people the vulnerability won't matter to them at all. But that shouldn't mean that those that care (and are perhaps a little too paranoid, or perhaps justifiably paranoid), should have to suck it up and be vulnerable just because the greedy manufactures couldn't give a hoot, especially when the devices get a little "old" ... even ones in full service that are newer usually fail to get updates in a timely manner. I needed that rant too. Kind Regards AndrewN

Brian May

4 May 4 May

10:32 a.m.

Andrew McGlashan writes:

...

I would like for any device that is manufactured in huge quantity, like all these flagship devices, to get updates for 6 years, unless the number of currently active users drops down too low (perhaps down to million users); anything longer than 6 years would probably be too long (I'll admit that), but anything shorter, well, again, they sell 100s of millions of these devices, so giving support for up to 10 years shouldn't cost them much and it would make the devices worth much more before ending up in landfill, as well as getting more life out of them.

In my imaginary dream world, the manufacturer wouldn't have to provide updates, because everyone would use the same builds of the same OS - stock Android. Imagine if every brand of every desktop computer you purchased required a customized version of XYZ* - probably without access to source code - that was only supported for one or two years before being declared obsolete. Imagine if every brand had to replace the XYZ UI with their own custom UI, in order to make their product "unique" is some way. The situation we have with phones and tablets right now is crazy. These devices are just small computers, so the user should be free to install whatever OS they want on them. In actual fact, we seem to be heading the opposite direction if anything of making computers more like phones and tables. * For XYZ insert one of Windows, Debian, Ubuntu, Redhat, etc. -- Brian May https://linuxpenguins.xyz/brian/

Andrew McGlashan

12:59 p.m.

On 04/05/17 20:32, Brian May wrote:

...

Andrew McGlashan writes:

...
I would like for any device that is manufactured in huge quantity, like all these flagship devices, to get updates for 6 years, unless the number of currently active users drops down too low (perhaps down to million users); anything longer than 6 years would probably be too long (I'll admit that), but anything shorter, well, again, they sell 100s of millions of these devices, so giving support for up to 10 years shouldn't cost them much and it would make the devices worth much more before ending up in landfill, as well as getting more life out of them.

I had originally had the idea of 10 years, I later dropped it back to 6 years -- one of the references above still had 10 years. For computers and mobiles, 10 years is probably too long, excepting of course the massive screwup of Intel that is in the news now.... does it make every second hand machine worthless now, or just worth less? With only recent machines possibly getting updates and only if the owner does them if or when they become available whilst they have access to the updates. HP bar anyone from getting updates these days unless they have an existing support contract! A great reason to avoid HP going forward. It's a rotten mess. If we are to reduce, re-use and recycle, what will become of all the millions of machines sold? That's an awful lot of landfill. On a positive note, if a new machine is more efficient and is properly patched, then it could easily last the next 10 years and may pay for itself in other ways, that is provided we don't need to ask too much of the hardware with VR / AR / AI or the like.

...

In my imaginary dream world, the manufacturer wouldn't have to provide updates, because everyone would use the same builds of the same OS - stock Android.

Yes, but stock Android is, perhaps, only good for a limited time as well. It is the binary blobs and other hindrances that stop us using pure Android on everything (easily or otherwise).

...

Imagine if every brand of every desktop computer you purchased required a customized version of XYZ* - probably without access to source code - that was only supported for one or two years before being declared obsolete.

True, some of the equipment these days has been doing bad things to get updates; Lenovo anybody? Leaving a great big hole to penetrate without proper security protection. Then the "BIOS" let's Windows load stuff from it that supposedly "fixes" things or puts permanent malware in the system that a re-install of the OS won't fix, other than replacing it with Linux or some other OS, but sometimes those newer machines are locked down these days and what you get is a ... Windows Appliance. :(

...

Imagine if every brand had to replace the XYZ UI with their own custom UI, in order to make their product "unique" is some way.

The situation we have with phones and tablets right now is crazy. These devices are just small computers, so the user should be free to install whatever OS they want on them.

Yes.

...

In actual fact, we seem to be heading the opposite direction if anything of making computers more like phones and tables.

* For XYZ insert one of Windows, Debian, Ubuntu, Redhat, etc.

Yes. but we also need every manufacturer of every component to co-operate and make open drives or at the very least fully support their hardware for the life of the hardware, not the life of a limited warranty period. And if they go out of business, they need to either sell whatever patents might limit future use to someone to take on the responsibility or end the patents completely and make a gift to the world. Cheers A.

Ben Finney

5 May 5 May

5:08 a.m.

Alex Fraser writes:

...

Sorry for the rant. Is anyone else as frustrated by this as I am?

Certainly. The situation is terrible, and we essentially have as much work to do as we did when free software first got started; except this time, the entrenched players are not going to be caught unawares like in the 1980s.

...

A user on Slashdot said to "vote with your wallet". But there doesn't seem to be a good option: iPhone, which isn't remotely open but at least seems to get patched, or Android, which claims to be open but is closed where it really counts. Is there a practical third option that I'm missing?

The only practical option is to ensure that a more open option is commercially viable on an ongoing basis. We need to demand, with enough persistence and volume and funds, a more open alternative. And we need to organise enough support so that manufaturers will clearly see that people *want* a more open alternative. Anything short of that simply isn't practical; manufacturers can cut costs by making no promises about user access to the device. So, find projects that have a chance of pushing in the right direction, and fund them. And identify when a friend or colleague is having an issue that, at root, you know is made worse by the fact the platform isn't open, and convince them to fund these projects also. That's a broad interpretation of the “vote with your wallet” advice. One example is the FairPhone, but we have to be patient and wait for them to support it in Australia. URL:http://fairphone.com/ Another example is the ZeroPhone, which is a hell of a lot more open than most Android phones because it's built on a Raspberry Pi Zero. URL:https://www.crowdsupply.com/arsenijs/zerophone -- \ “It is the integrity of each individual human that is in final | `\ examination. On personal integrity hangs humanity's fate.” | _o__) —Richard Buckminster Fuller, _Critical Path_, 1981 | Ben Finney

Andrew McGlashan

6 May 6 May

5:56 p.m.

On 05/05/17 15:08, Ben Finney wrote:

...

Another example is the ZeroPhone, which is a hell of a lot more open than most Android phones because it's built on a Raspberry Pi Zero.

URL:https://www.crowdsupply.com/arsenijs/zerophone

The Raspberry Pi has binary blobs, does the Zero have none? Oh and I agree with the rest of your post, but we need the better alternatives to go close to what is available otherwise in features, specs and performance; or at least enough to make the devices still useful. Thanks A.

Ben Finney

7 May 7 May

5:07 a.m.

Andrew McGlashan writes:

...

On 05/05/17 15:08, Ben Finney wrote:

...
Another example is the ZeroPhone, which is a hell of a lot more open than most Android phones because it's built on a Raspberry Pi Zero.

URL:https://www.crowdsupply.com/arsenijs/zerophone

The Raspberry Pi has binary blobs, does the Zero have none?

I don't know. Given the number of devices in most smartphones that require binary blobs, I would think it safe to say what I did: that the ZeroPhone is a hell of a lot more open.

...

Oh and I agree with the rest of your post, but we need the better alternatives to go close to what is available otherwise in features, specs and performance; or at least enough to make the devices still useful.

Yes. Those alternatives only get better by sustained, widespread, vocal demand and funding, from people who say in public they're demanding and funding a device *because* it is more open. Waiting for them to get better *before* deciding whether to support them, is just leaving it to the existing market. Which is what gets us where we are today, so is not a solution. -- \ “The problem with television is that the people must sit and | `\ keep their eyes glued on a screen: the average American family | _o__) hasn't time for it.” —_The New York Times_, 1939 | Ben Finney

Andrew McGlashan

6:12 a.m.

On 07/05/17 15:07, Ben Finney wrote:

...

Andrew McGlashan I don't know. Given the number of devices in most smartphones that require binary blobs, I would think it safe to say what I did: that the ZeroPhone is a hell of a lot more open.

Fair.

...

...
Oh and I agree with the rest of your post, but we need the better alternatives to go close to what is available otherwise in features, specs and performance; or at least enough to make the devices still useful.

Yes. Those alternatives only get better by sustained, widespread, vocal demand and funding, from people who say in public they're demanding and funding a device *because* it is more open.

Waiting for them to get better *before* deciding whether to support them, is just leaving it to the existing market. Which is what gets us where we are today, so is not a solution.

True. It is an awful catch 22 situation, but you still don't want to throw away money on things that aren't going to be useful enough to you unless you are doing it simply to make a donation AND you can afford to do so. A.

2693

Age (days ago)

2697

Last active (days ago)

List overview

Download

7 comments

4 participants

participants (4)

Alex Fraser
Andrew McGlashan
Ben Finney
Brian May

WiFi vulnerability on mobile devices

tags

participants (4)