One of the 78 vulnerabilities that the October 2016 Android Security Bulletin released this week has patched was a flaw in the GPS component that could be exploited remotely to cause denial of service on vulnerable devices.
The issue would be exploited by a Man-in-the-Middle (MitM) attacker capable of manipulating assisted GPS/GNSS data provided by Qualcomm, which could result in the device crashing or rebooting. The bug is said to affect the open source code in AOSP, as well as proprietary code in a Java XTRA downloader provided by Qualcomm.
Nightwatch Cybersecurity researchers, who discovered the vulnerability, explain that the October 2016 Android bulletin resolves the bug and that Qualcomm issued additional patches to the proprietary client last month. However, they also note that other platforms that use Qualcomm GPS chipsets might also be impacted by the security flaw.
Devices with Qualcomm GPS chipsets periodically connect to the OEM’s servers to download gpsOneXtra assistance files that include current satellite location data and estimated locations for the next 7 days, researchers say. Qualcomm developed the gpsOneXtra system in 2007 and devices using it are set to request the assistance files almost every time they connect to a WiFi network.
The domains these devices connect to, namely gpsonextra(dot)net and izatcloud(dot)net, are owned by Qualcomm and are being hosted and served from Amazon’s Cloudfront CDN service (except for one subdomain). The assistance file is requested by an OS-level Java process (GpsXtraDownloader.java), which passes the data to a C++ JNI class (com_android_server_location_GnssLocationProvider.cpp), which then injects the files into the Qualcomm modem or firmware.
The vulnerability resides in the Java and the C++ code not performing checks to determine the size of the data file, which results in the device soft rebooting if the file is larger than the memory available on the device. By exhausting memory and crashing the device, an attacker is theoretically also capable of executing code remotely in either the Qualcomm modem or in the Android OS, but the security researchers weren’t able to achieve that.
“To attack, an MITM attacker located anywhere on the network between the phone being attacked and Qualcomm’s servers can initiate this attack by intercepting the legitimate requests from the phone, and substituting their own, larger files. Because the default Chrome browser on Android reveals the model and build of the phone (as we have written about earlier), it would be possible to derive the maximum memory size from that information and deliver the appropriately sized attack file,” the researchers say.
A malicious actor could perform such an attack by leveraging hostile hotspots, hacked routers, or other resources. The attack is somewhat mitigated by the fact that the actor would have to use a file as large as the available memory on the phone.
Devices running under Android with the 2016-10-01 security patch level are protected from this type of attack. According to the security researchers, GPS-capable devices manufactured by Apple (iPad, iPhone, etc.) and Microsoft (Microsoft Surface and Windows Phone devices) are not affected by this vulnerability.
Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements
Related: Google Patches QuadRooter, Other Critical Android Vulnerabilities
Related: Google Patches Tens of Critical Vulnerabilities in Android