back to article It's 2017 and you can still pwn Android gear with Wi-Fi packets – so get patching now

A security researcher has turned up new ways to silently hijack and infect Android devices via malicious Wi-Fi packets over the air. Scotty Bauer, a Linux kernel developer, described in detail on Monday how he found a bunch of exploitable programming blunders in the qcacld Wi-Fi driver that supports Qualcomm Atheros chipsets. …

  1. Anonymous Coward


    The write-up is excellent! Well worth the read for anyone operating at the hardware-software interface coal-face.

    1. Khaptain

      Re: Nameless

      I'm not at the coalface but found this article interesting too.

      It made an otherwise boring bowl of cereal into a worthwhile read..

      Now I'm of to move over to SIP from ISDN on our telephony system.....

    2. Joe Werner Silver badge

      Re: Nameless

      Yes, good read. I have to admit that it gets repetitive though: shouldn't we be past the buffer overrun exploits? (I know much of my code is not, but I don't share it, it's quite specialized, and probably only useful for three people.... and that includes me, myself and I)

      1. sabroni Silver badge

        Re: shouldn't we be past the buffer overrun exploits?

        Yes, we really should.

        Thank fuck for Android's super updates system!

        1. dajames Silver badge

          Re: shouldn't we be past the buffer overrun exploits?

          Thank fuck for Android's super updates system!

          Ah, Irony! We don't use that here.

  2. nagyeger

    Dear Motorola

    please can I have a patch for my phone? Tnx.

    Dear Reg readers... is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?

    Or, put another way, what are the chances of me ending up with a non-bricked, fully-functional phone if I try installing lineageOS on it?

    1. Michael Habel Silver badge

      Re: Dear Motorola

      About the same as with those you spend 400+£€$$ on. If you stupid enough to get a Samsung Tablet.

      As to how safe it all is... Is down to a mixture of how well you can read, and follow directions off a Forum. But, as always the best place to start is on XDA-Developers.

      1. CrazyOldCatMan Silver badge

        Re: Dear Motorola

        But, as always the best place to start is on XDA-Developers

        Indeed. I tend to check there *before* I buy something for that very reason. And it's why my old OnePlus One is running a recent-ish version of LineageOS..

        (As is the OnePlus 3 that's my live in-use phone)

    2. Tim Seventh

      Re: Dear Motorola

      "Dear Reg readers... is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?"

      Any phone officially supported by lineageOS will likely have longer term patch support. In terms of <200quid phone, there are a number of brands that have phones at that price like asus, sony, LG, xiaomi, etc. It'll be better to search it yourself. If you can't decide, start searching from their second to first recent released phone.

      "Or, put another way, what are the chances of me ending up with a non-bricked, fully-functional phone if I try installing lineageOS on it?"

      If you picked a phone from the lineageOS official support list, then you'll have the highest chance of getting a non-bricked near fully-functional lineageOS rom. Otherwise, if you find your phone under xda-developers with threads of users tested the rom, then you'll have the second highest chance of getting a non-bricked near fully-functional lineageOS / custom rom. If you search around and only found one thread, a video or a website with a lineageOS / custom rom link, unless it gave you clear instruction, it'll have the lowest chance of not bricking your phone OS (if you didn't physically break the phone, you can reflash and try another rom).

      *near fully-functional because some developers will tell you some roms have known-issues.

      Since it sounds like you haven't flashed a lineageOS before, here are a few key tips if you are interested in flashing lineageOS / custom rom.

      - Unlock bootloader - Most OEM locks your phone so your phone can only install their rom. Unlocking it is required to install lineageOS and other custom rom. Different phone has different ways to unlock them. Search them first.

      - Phone driver - some phones require specific driver to be recognized by a PC before installing/ booting a custom recovery. Some phones may need it. Search them next.

      - Custom recovery - this is a different recovery from the OEM recovery, and it let's you wipe your phone and flash your firmware, lineageOS rom, root manager, and gapps. One known custom recovery is twrp recovery. Search for the device specific custom recovery should it be required.

      - rooting - this is to get admin right of phone. LineageOS should now come with it, but you'll need a "root manager" like Magisk to manager your apps for root. Most root manager needs to be flash in custom recovery and some need the apk installed afterward for it to work.

      - gapps - this is a google apps bundle. The bundle is device cpu specific and will not flash if you downloaded the wrong one. The bare minimum is gapps pico. This is optional for lineageOS but you might need it if you use google apps and apps that dependent on google api.

      - backups - if you haven't backed up before flashing lineageOS, well... do it now. Google backup only goes so far in terms of phone backup, so do test the backups before wiping the phone.

      tl;dr research lineageOS rom ahead to ensure no phone brick.

      1. Anonymous Coward
        Anonymous Coward

        Re: tl;dr research lineageOS rom ahead to ensure no phone brick.

        But if I want to buy a new/recent phone, how will I know whether lineageOS will eventually support it? There are (eg) lots of Moto phones suppported atm, but if I decide to buy a G5 it looks as if I'll just have to buy and hope! AFAICS each different generation seems to have a randomly chosen chipset/cpu, so it's not even like I can say "ah, the G5 seems to have a similar chipset to the G4, so it's a good bet I'll be ok"

    3. Anonymous Coward
      Anonymous Coward

      Re: Dear Motorola

      No, you have to spend money to get support. Software support is expensive (but you could argue they are getting the OS for free and should have diverted savings to software support)




      Premium Sony (not the mid range)


      These all get monthly or bi montly patches.

      1. big_D Silver badge

        Re: Dear Motorola

        @AC except not Nexus or Pixel, they only guarantee updates for 2 years and security updates for a further year. Better than most, but still not good.

        That said, at least when they are still supported, they get the updates promptly.

        1. ranger

          Re: Dear Motorola

          Does anyone know if there's ever been an attempt to force long term support through consumer rights? Could security bugs be classed as a defective product, giving (in theory) six years to claim. I don't know if there's any actual legal grounds for it, but it would be interesting to pursue, and would have the added benefit of making electronics firms take security seriously.

    4. Dr Mantis Toboggan

      Re: Dear Motorola

      Nope, this is something YOU needed to have considered at time of purchase, it's entirely your fault for putting other features or price above support, and you can't change your priorities now

      1. big_D Silver badge

        Re: Dear Motorola

        @Dr Mantis Toboggan, price has nothing to do with it. Even the Samsung Galaxy devices we have, which are premium devices, lag seriously behind.

        None of the devices we have, have received Oreo yet and the "best" devices have a patch level from Nougat August 2017... That's 3 months of patches out of date, including no KRACK patch.

      2. Jamie Jones Silver badge

        Re: Dear Motorola

        Dr Toboggan, ahhh with an attitude like that, I assume you don't enjoy the proper consumer rights laws we have in Europe..

        Don't worry though, the BRexiters have ensured we'll all be back to your level of expectancy ! Trump advisors have admitted as much!

    5. Anonymous Coward
      Anonymous Coward

      Re: Dear Motorola

      "is there ANY brand of <200quid phones that actually provides long term (> 2year) patch support?"

      Well depending on how you want to interpret "ANY" there is, well was. I bought my Microsoft 640XL for £122 at the end of June 2015. It got its last feature update in April 2017. It will continue to get monthly support patches till 11th June 2019. So monthly patches for a couple of weeks under 4 years.

      Microsoft managed to cock up a lot of things with their phone offering but they got the patching side right.

    6. phuzz Silver badge

      Re: Dear Motorola

      To save you the bother of searching, here is LineageOS's officially supported devices list. Of course, you still have to go through that list to see if there's any phones on it that fit your criteria on there.

    7. Ken Hagan Gold badge

      Re: Dear Motorola

      Amazon will sell you a used Samsung S5 in good nick for considerably less than 200 quid. (Other tat-vendors are available...) The S5 is one of the most widely used phones with Lineage ( so it won't just be you if something goes wrong. You don't have to root the phone ( If you are particularly doubtful of the procedure, you could try it on an even older phone. The S4 Mini is about a third of the price and also works OK.

      I'm citing these two Samsungs because I've actually done it with them. (I haven't looked back.) It shouldn't be taken as an endorsement of Samsung. (I put Lineage on because Samsung's support was so crap.) A glance at the stats will show that other brands also have thousands of users out there and your current handset may even be among them.

      Edit: If you do switch, give some thought to how you will transfer things like address books and saved media/messages/etc. Mostly these aren't terribly difficult as long as you plan ahead but are obviously nigh-on impossible after you've nuked the old contents of your storage. :)

  3. Anonymous Coward
    Anonymous Coward

    Yep patched

    All android devices in our house fully patched, painless job done.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yep patched

      Another happy Apple user.

    2. Anonymous Coward
      Anonymous Coward

      Re: painless job done

      a job in sales?

    3. Anonymous Coward
      Anonymous Coward

      Re: All android devices in our house fully patched, painless job done.

      Well indeed - as are all our devices up to date with the latest patches. It's just unfortunate that some of those "latest patches" date back to several years ago.

  4. Hans 1

    Dear Samsung, dear LG, dear Archos, where are my KRACK patches ?

    1. sabroni Silver badge

      Ask Google, they're the ones who thought an update mechanism would be too tricky to implement.

  5. Martin hepworth

    Patch availablity

    Patching my Andriod device, yeah right.

    It's getting better with any Oreo or later devices ,but even Oneplus have been really lax in getting these out, so I dont expect any big improvement soon unless you're dropping big ££$$ on Google's native kit

  6. RyokuMas

    It's 2017...

    ... and El Reg have swapped "Windows" for "Android" in their "you can still pwn [placeholder]" title generator...

  7. Anonymous Coward
    Anonymous Coward

    "This frame reports only one byte remaining after it's fixed fields.\n"

    I'd raise a CVE for the misplaced apostrophe to be honest. I'm just trying to come up with a suitable logo.

    1. Uncle Slacky Silver badge

      Re: "This frame reports only one byte remaining after it's fixed fields.\n"

      > I'm just trying to come up with a suitable logo.

      See icon.

    2. Gene Cash Silver badge

      Re: "This frame reports only one byte remaining after it's fixed fields.\n"

      From the end of the article: "He's also asked that the flaws he finds not be named or branded with a logo"

      Kudos to him.

    3. Anonymous Coward
      Thumb Up

      Re: "This frame reports only one byte remaining after it's fixed fields.\n"

      Well the name, at least, is obvious: Apostrophail.

  8. Starace

    Useless patch model

    If only someone had the foresight to engineer a system where signed driver and system patches could be applied to existing devices, without needing to affect any OEM specific bits.

    I mean you'd think by this stage some sort of proper update system might have been added, it's not like they haven't existed for years.

    Though I guess if forced obsolescence is your goal this isn't exactly a priority.

    1. Hans 1

      Re: Useless patch model

      We need a FSF phone OS that works on all phones => problem solved. Ideally, the system would have some sort of hardware detector to activate drivers ... I mean GNU/Linux does it quite nicely, we need that for phone OS' and I do not care if it is android based, it HAS TO BE FSF so we can apply patches as we see fit ... just like GNU/Linux.

      EDIT: so miffed I originally wrote FFS iso FSF ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022