Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches DoS Vulnerability in Android

One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.

One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.

The issue would be exploited by a Man-in-the-Middle (MitM) attacker capable of manipulating assisted GPS/GNSS data provided by Qualcomm, which could result in the device crashing or rebooting. The bug is said to affect the open source code in AOSP, as well as proprietary code in a Java XTRA downloader provided by Qualcomm.

Nightwatch Cybersecurity researchers, who discovered the vulnerability, explain that the October 2016 Android bulletin resolves the bug and that Qualcomm issued additional patches to the proprietary client last month. However, they also note that other platforms that use Qualcomm GPS chipsets might also be impacted by the security flaw.

Devices with Qualcomm GPS chipsets periodically connect to the OEM’s servers to download gpsOneXtra assistance files that include current satellite location data and estimated locations for the next 7 days, researchers say. Qualcomm developed the gpsOneXtra system in 2007 and devices using it are set to request the assistance files almost every time they connect to a WiFi network.

The domains these devices connect to, namely gpsonextra(dot)net and izatcloud(dot)net, are owned by Qualcomm and are being hosted and served from Amazon’s Cloudfront CDN service (except for one subdomain). The assistance file is requested by an OS-level Java process (GpsXtraDownloader.java), which passes the data to a C++ JNI class (com_android_server_location_GnssLocationProvider.cpp), which then injects the files into the Qualcomm modem or firmware.

The vulnerability resides in the Java and the C++ code not performing checks to determine the size of the data file, which results in the device soft rebooting if the file is larger than the memory available on the device. By exhausting memory and crashing the device, an attacker is theoretically also capable of executing code remotely in either the Qualcomm modem or in the Android OS, but the security researchers weren’t able to achieve that.

Advertisement. Scroll to continue reading.

“To attack, an MITM attacker located anywhere on the network between the phone being attacked and Qualcomm’s servers can initiate this attack by intercepting the legitimate requests from the phone, and substituting their own, larger files. Because the default Chrome browser on Android reveals the model and build of the phone (as we have written about earlier), it would be possible to derive the maximum memory size from that information and deliver the appropriately sized attack file,” the researchers say.

A malicious actor could perform such an attack by leveraging hostile hotspots, hacked routers, or other resources. The attack is somewhat mitigated by the fact that the actor would have to use a file as large as the available memory on the phone.

Devices running under Android with the 2016-10-01 security patch level are protected from this type of attack. According to the security researchers, GPS-capable devices manufactured by Apple (iPad, iPhone, etc.) and Microsoft (Microsoft Surface and Windows Phone devices) are not affected by this vulnerability.

Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Related: Google Patches QuadRooter, Other Critical Android Vulnerabilities

Related: Google Patches Tens of Critical Vulnerabilities in Android

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.