back to article Security bods: Android system broadcasts enable user tracking

Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers. Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there's no plan to fix older versions. What they …

  1. Halfmad

    there's no plan to fix older versions

    Le sigh.

    1. Anonymous Coward
      Anonymous Coward

      Re: there's no plan to fix older versions

      Yes, how convenient for the phone manufacturers (including google).

    2. Dan 55 Silver badge

      Re: there's no plan to fix older versions

      Another Android privacy hole, another minimum-effort fix by Google which will only be fully rolled out over years.

    3. Anonymous Coward
      Anonymous Coward

      Re: there's no plan to fix older versions

      Le typical.

  2. Anonymous Coward
    Anonymous Coward

    No issues here

    Pixel2

    But then I factored these sort of things in when I bought my phone...

    1. sorry, what?
      Unhappy

      Re: No issues here

      @AC, smug isn't helpful. Fixes are.

      Given the distribution of OS version by device volume (http://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide) and how version 9 doesn't even warrant its own break-out it seems to me collusion with the criminals to not patch older Android versions.

      Would it not be possible to simply return false information through the API when the permission conditions are not met without actually changing or otherwise inappropriately affecting old APIs? Maybe I'm being naive...

    2. Dan 55 Silver badge

      Re: No issues here

      But then again if you bought a Pixel 2 you've got other problems like these or these.

      1. Anonymous Coward
        Anonymous Coward

        Re: No issues here

        Weird, not had any of those problems at all on my (non XL) Pixel 2....

        I wonder if this is Apple or Samsung funded viral FUD...

        1. Anonymous Coward
          Anonymous Coward

          Re: I wonder if this is Apple or Samsung funded viral FUD...

          Companies paying for social media trolling? Surely not. There's no evidence of that here. No siree bob!!

          Also, Pixel 2 is ace!!!

          1. Solarflare

            Re: I wonder if this is Apple or Samsung funded viral FUD...

            Thank's for you input there, AC#1 and AC#2. Out of interest, when does your colourful Alphabet cheque arive?

    3. Anonymous Coward
      Anonymous Coward

      Re: No issues here

      How does one factor these decisions when phone manufacturers don't give an end of life on handsets?

      Also, I'm not going to be forced to buy a google phone to be sure of getting updates, that's what lineage is for. So take your fancy updated Pixel2 and stick it where the sun doth not shine.

      1. Anonymous Coward
        Anonymous Coward

        Re: No issues here

        Essentially if you want updates your options are:

        Google

        Apple

        Buy anything else, and you are at the mercy of that manufacturer, and any network lock you have (if you cheapskate and go contract).

        So how is this Google, or Android's fault? It's the manufacturers and networks that are the problem.....

        I had an iPhone, didn't get on with it, it was pretty limited in it's capability. My Pixel 2 does everything better than my iphone8 did, and does more besides. Very happy with it, considering it's £400 less.

        1. Anonymous Coward
          Anonymous Coward

          Re: So how is this Google, or Android's fault?

          Oooh, I know! It's because Google released android without putting in an update service! You know, for years they argued that it was too tricky to do, and now they're doing it. It's Google's fault because they released Android like that!

          1. Charles 9

            Re: So how is this Google, or Android's fault?

            No, it's the OEM's fault they forced Google's hand when Android started out. They wanted proprietary add-ons or they wouldn't sign on. It's only with Android the clear dominant OS that Google is able (starting with Nougat) to start taking back control of some of the core of the OS, but without the OEMs signing on, they never would've gotten off the ground in the first place against the iPhones.

          2. Anonymous Coward
            Anonymous Coward

            Re: So how is this Google, or Android's fault?

            Weird, as my Android phone has an update service... Do you even know what you are talking about??

            You know that a mobile phone doesn't have a standard IBM PC architecture and HAL to hide behind, like a PC does that makes windows easier to update??? Each hardware is unique. Android is also open source, so unlike windows, it's not just one thing...

            So before making yourself look like a clueless cretin in public, stick your brain in gear and think about the differences. The only valid comparison is Google's voen devices and apples own devices, and guess what? Aside from the better quality control, security and auditing, there is nothing really different about them, they are serviced in very similar way, and very similar intervals..

            1. Charles 9

              Re: So how is this Google, or Android's fault?

              And who controls that update service? The OEM, not Google. That's what I'm talking about. Google can't force security updates onto older phones because Android had to go through the OEMs before they can be released at all. Thus all the EOL complaints. It gets worse when SoC component manufacturers refuse to update their blob drivers (and they will NEVER open-source them for stiff competition reasons--they could always move on to IoT if push came to shove). Thus the transition with Nougat and so on. By placing more of the core of the OS under Google's direct control, they have a better chance of pushing security updates regardless of the will of the manufacturer. This also allows them to work around recalcitrant component manufacturers. With better control of the core, they can work around blob driver issues.

  3. jason 7

    I gave up worrying about updates.

    The world keeps turning and stuff.

    Overblown IMO.

    1. Anonymous Coward
      Anonymous Coward

      Re: I gave up worrying about updates.

      I must admit I have more frustrations about things that get changed or broken between updates than I do sense of relief from knowing that I'm running the latest version of something.

      I'll probably get downvoted to oblivion for this, but a lot of the risks that get talked about really don't seem like that much of a threat to me personally so I don't see a compelling argument to patch against them.

      This latest issue is a good example. If, by some stretch of the imagination, I do allow a piece of software to get onto my phone, and that software gets hold of data about which wifi networks I've been in sight of, then so what?

      I may be missing something but I'm not particularly remarkable - I'm just some guy. If it ever did happen, why should I be worried that somebody, somewhere knew I'd been near the wifi in my local Costa? There were a couple of dozen people in there who saw me in person, and I don't perceive any particular threat from that.

      1. Anonymous Coward
        Anonymous Coward

        Re: don't seem like that much of a threat to me

        Yeah, you need to think for a couple of seconds, and know a bit about the world, before any of this starts to get sinister.

        Good luck to you, I hope your naivety never bites you in the arse.....!

        1. Anonymous Coward
          Anonymous Coward

          Re: don't seem like that much of a threat to me

          Yeah, you need to think for a couple of seconds, and know a bit about the world, before any of this starts to get sinister.

          OK - I'll plead stupidity here. Please explain to me why I, as an average Joe, should be threatened by an application's ability to know which wifi networks I've be been near?

          1. The Mole

            Re: don't seem like that much of a threat to me

            So there is a malicious app running on your machine with the ability to send arbitrary to its home.

            That means the home can track the user based on the public ip address the request is coming from, in many countries this will be enough to locate to a city or closer (dependent on network structure). In fact if that app sometimes have permissions they can get the information and map wifi information to public ip as well.

            Without permissions the only additional information that could be useful I can see is more precise location information inferred from the wifi network name (you are on starbucks wifi or in the library). DNS server name probably doesn't tell much useful, mac address gives information about the device, but I believe an app can get that much easier through the standard apis. As people have mentioned if you've got a malicious app on the device the end user probably has given permissions anyway.

            1. Anonymous Coward
              Anonymous Coward

              Re: don't seem like that much of a threat to me

              I get that, but my question was in what way is that a threat to me (aside from any slight additional drain on battery)?

              Unless I have been specifically targeted (and I won't be - I'm not James Bond, I'm just an average guy who happens to have an Android phone) I don't see why an arbitrary piece of software knows that my a phone is in location 'x' is a threat.

              1. Anonymous Coward
                Anonymous Coward

                Re: don't seem like that much of a threat to me

                Imagine if Google knew that you were passing a Brewery. Then imagine if the main rival to that brewery had a deal with Google so that whenever a phone passes that brewery or a pub that serves their beer, and advert was beamed to your phone telling you that the brewery you were passing was crap than that you could really drink this other beer.

                Scale that up and you see what location based target advertising is all about.

                You could even get averts that include your name on an electrinic billboard as you go past.

                Is that the world you want?

                I don't. Personally, I'd nuke all Ad agencies and then do the same to Google but that's just my opinion but as Google aleady know more about each an every one of us one more refusenik won't make a lot of difference in their battle with Amazon for world domination.

              2. Graham Cobb Silver badge

                Re: don't seem like that much of a threat to me

                I get that, but my question was in what way is that a threat to me

                The answer is that it might be or might not be. You don't have to be James Bond for this to be a problem.

                Even in the UK, a journalist for a local paper might find this a problem if they have been trying to track down and write about corruption in the local council awarding planning approvals. An investigative journalist at a national newspaper will certainly be targeted, often by powerful or dangerous people (even if only reporting on extramarital affairs).

                Abused women and children also need to have privacy (why do you think people aren't allowed to take photos of their children's school play? It isn't about paedophiles, it is about children who have been removed from abuse possibly being located by the abusers).

                And, in some countries almost anyone might accidentally fall foul of government or criminal gangs and need to keep their location hidden.

                Sure, maybe you have the luxury of living in a safe country, with no serious enemies and a boring job (just like I do). Or are qualified to make a full analysis of your security risks. But there are many people not in that position and manufacturers need to be forced to fix problems which put these people into danger.

  4. tiesx150

    Well..... not great but at least the WiFi password isn't leaked so that's one positive. Data leak yes but major security hole: Not quite. You share more data by using Failbook ! ;)

    1. DropBear

      So if I don't use Failbook - which I don't - do I get to worry...?

      1. tiesx150

        Wi-Fi network name: , BSSID, local IP addresses, DNS server information and the MAC address

        Local IP addresses ?

        So you can potentially sniff this information from a droid and gather the above info from all devices on the said Wifi Network? I guess from MAC you could potentially identify what equipment may be running on said wireless network. I could be missing some key point but i still cant see how this could be anything but just an annoying vulnerability that leaks some data which is pretty much useless.

        Please correct me if i am wrong

        1. J27

          No, just the addresses for that device. All the data is about the device the code is running on.

      2. Version 1.0 Silver badge

        Just because you don't use Failbook doesn't mean that it's not tracking you. But let's face it, fix this bug and another one will show up sooner or later. We're all being tracked these days, it's the way that the world works - what we have to do is try and make the information minimal. Android? iPhone? whatever - they are just handheld computers that receive spam phone calls, spam texts and spam emails. Don't do anything that you wouldn't want to advertise on the bogroom wall.

  5. Jamie Jones Silver badge
    Stop

    I posted how anyone could do this, 3 months ago.

    I posted the proof-of-concept that this could be done on this very web site (up to version 5.1 at least) a few months ago, but got no response.

    Can I have a belated "scoop" article written please? :-)

    https://forums.theregister.co.uk/forum/containing/3520637 (ish) (2 posts)

    Apologies for the tone, I was responding to a trolling tosser!

  6. Cuddles

    Does it matter in practice?

    In theory, this is information that a user can refuse an app permission to access, and this exploit is a way to get around that and access it anyway. In practice, almost everyone just blindly accepts whatever permissions an app asks for. So while it's not ideal that the flaw exists and won't be fixed in older versions, it's not really going to make any difference since malicious apps don't need to sneak around trying to find information that they'll be given if they just openly ask for it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does it matter in practice?

      Just because some people are careless doesn't mean that people who do care about privacy & security should be exposed by unpatched flaws.

  7. J27

    This isn't that big a deal for most users. The issue is that it's not requiring the ACCESS_NETWORK_STATE and ACCESS_WIFI_STATE permissions, which are both considered normal permissions in Android.

    Normal permissions don't require explicit consent from the user and are granted on install automatically. So while is is a bug, it's not particularly important to the average user because the average user doesn't pore over Android manifests for every app they install and has likely already granted this permission to many apps.

    Apps can already access this information via approved means without asking permission anyway.

    1. Charles 9

      Even on Marshmallow and up when permissions are only asked on first use?

  8. fidodogbreath

    “While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”

    So it's up to the developer to enable the "security" that protects sensitive data -- which they might want, but otherwise could not access without permission?

    No one could possibly have anticipated that anything could go wrong there.

  9. ecofeco Silver badge
    Alert

    Your wi fi should be off by default

    Keep your phone wi fi off by default. Only use it when needed.

    Mine is off even at home.

    1. Anonymous Coward
      Anonymous Coward

      Re: Your wi fi should be off by default

      Doesn't that just mean they can pick you up from tower triangulation and your mobile IP? Seems you lose either way. You own a phone (even a dumb phone, as that still uses the tower data) they own you.

      1. ROC

        Re: Your wi fi should be off by default

        Isn't this issue all about wifi info leaking, to compromise networks used by the targeted user, not the location of the user?

        Interestingly,it appears the enabling app has been available, with no updates, for almost 6 years, so that makes me wonder a bit why it has taken so long to be highlighted as a risk just now.

  10. John Smith 19 Gold badge
    Unhappy

    The leakier those permissions are the more data can collect on you.

    Which is great. For Google.

    Anyone remember the story of the Florida man who killed his wife?. Police found the body by asking the supplier of his flashlight app for the GPS coordinates of the phone while they suspected he was dumping the body.

    Which the app suppliers had on their servers.

    WTF is that app doing collecting that information. For what? And sending it home?

    I know, that's Apple not Android, but (at the very least) there should be something that can basically feed (or generate) Bu***hit data if some app demands that access

    1. Anonymous Coward
      Anonymous Coward

      Re: The leakier those permissions are the more data can collect on you.

      Nope, because Google's apps are at the system level, AND they tend to dictate terms on hardware use, meaning they can pretty much detect BS data and there's no practical way to prevent this. Not to mention apps can probably detect BS data and respond by BS'ing YOU. Basically, it's either bend over or get off the airwaves and face the consequences of disconnecting from an always-connected society.

      1. Anonymous Coward
        Anonymous Coward

        Re: The leakier those permissions are the more data can collect on you.

        "Nope, because Google's apps are at the system level, AND they tend to dictate terms on hardware use,"

        Indeed! Google does keep track of Google's own system apps as well as low-level hardware based apps such as Qualcomm's by regularly sending "hygeine" logs back to Google.

        But for some reason, Google DOES NOT keep track of other system level apps which can allow signed, system level malware to go undetected.

        I am testing a cheap Android device that has malware installed (and signed) by the device manufacturer that is very similar to the Adups fiasco.

        The built in "Play Protect" scans do not test any system level apps and so says that everything is OK.

  11. Maelstorm Bronze badge
    FAIL

    They failed again...

    What the?

    So why is it the application developer's responsibility to mask this information?

    Netowrking is system level information that only the system should be aware of. Giving the responsibility to keep it private to the apps guys is like putting the personal details of government employees on the web and hoping that China/Russia won't steal it. Because as we all know, not app developers are created equal. This is a big glaring security hole if you ask me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like