Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches DoS Vulnerability in Android

One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.

One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.

The issue would be exploited by a Man-in-the-Middle (MitM) attacker capable of manipulating assisted GPS/GNSS data provided by Qualcomm, which could result in the device crashing or rebooting. The bug is said to affect the open source code in AOSP, as well as proprietary code in a Java XTRA downloader provided by Qualcomm.

Nightwatch Cybersecurity researchers, who discovered the vulnerability, explain that the October 2016 Android bulletin resolves the bug and that Qualcomm issued additional patches to the proprietary client last month. However, they also note that other platforms that use Qualcomm GPS chipsets might also be impacted by the security flaw.

Devices with Qualcomm GPS chipsets periodically connect to the OEM’s servers to download gpsOneXtra assistance files that include current satellite location data and estimated locations for the next 7 days, researchers say. Qualcomm developed the gpsOneXtra system in 2007 and devices using it are set to request the assistance files almost every time they connect to a WiFi network.

The domains these devices connect to, namely gpsonextra(dot)net and izatcloud(dot)net, are owned by Qualcomm and are being hosted and served from Amazon’s Cloudfront CDN service (except for one subdomain). The assistance file is requested by an OS-level Java process (GpsXtraDownloader.java), which passes the data to a C++ JNI class (com_android_server_location_GnssLocationProvider.cpp), which then injects the files into the Qualcomm modem or firmware.

The vulnerability resides in the Java and the C++ code not performing checks to determine the size of the data file, which results in the device soft rebooting if the file is larger than the memory available on the device. By exhausting memory and crashing the device, an attacker is theoretically also capable of executing code remotely in either the Qualcomm modem or in the Android OS, but the security researchers weren’t able to achieve that.

“To attack, an MITM attacker located anywhere on the network between the phone being attacked and Qualcomm’s servers can initiate this attack by intercepting the legitimate requests from the phone, and substituting their own, larger files. Because the default Chrome browser on Android reveals the model and build of the phone (as we have written about earlier), it would be possible to derive the maximum memory size from that information and deliver the appropriately sized attack file,” the researchers say.

Advertisement. Scroll to continue reading.

A malicious actor could perform such an attack by leveraging hostile hotspots, hacked routers, or other resources. The attack is somewhat mitigated by the fact that the actor would have to use a file as large as the available memory on the phone.

Devices running under Android with the 2016-10-01 security patch level are protected from this type of attack. According to the security researchers, GPS-capable devices manufactured by Apple (iPad, iPhone, etc.) and Microsoft (Microsoft Surface and Windows Phone devices) are not affected by this vulnerability.

Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Related: Google Patches QuadRooter, Other Critical Android Vulnerabilities

Related: Google Patches Tens of Critical Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.