there's no plan to fix older versions
Le sigh.
Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers. Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there's no plan to fix older versions. What they …
@AC, smug isn't helpful. Fixes are.
Given the distribution of OS version by device volume (http://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide) and how version 9 doesn't even warrant its own break-out it seems to me collusion with the criminals to not patch older Android versions.
Would it not be possible to simply return false information through the API when the permission conditions are not met without actually changing or otherwise inappropriately affecting old APIs? Maybe I'm being naive...
How does one factor these decisions when phone manufacturers don't give an end of life on handsets?
Also, I'm not going to be forced to buy a google phone to be sure of getting updates, that's what lineage is for. So take your fancy updated Pixel2 and stick it where the sun doth not shine.
Essentially if you want updates your options are:
Apple
Buy anything else, and you are at the mercy of that manufacturer, and any network lock you have (if you cheapskate and go contract).
So how is this Google, or Android's fault? It's the manufacturers and networks that are the problem.....
I had an iPhone, didn't get on with it, it was pretty limited in it's capability. My Pixel 2 does everything better than my iphone8 did, and does more besides. Very happy with it, considering it's £400 less.
No, it's the OEM's fault they forced Google's hand when Android started out. They wanted proprietary add-ons or they wouldn't sign on. It's only with Android the clear dominant OS that Google is able (starting with Nougat) to start taking back control of some of the core of the OS, but without the OEMs signing on, they never would've gotten off the ground in the first place against the iPhones.
Weird, as my Android phone has an update service... Do you even know what you are talking about??
You know that a mobile phone doesn't have a standard IBM PC architecture and HAL to hide behind, like a PC does that makes windows easier to update??? Each hardware is unique. Android is also open source, so unlike windows, it's not just one thing...
So before making yourself look like a clueless cretin in public, stick your brain in gear and think about the differences. The only valid comparison is Google's voen devices and apples own devices, and guess what? Aside from the better quality control, security and auditing, there is nothing really different about them, they are serviced in very similar way, and very similar intervals..
And who controls that update service? The OEM, not Google. That's what I'm talking about. Google can't force security updates onto older phones because Android had to go through the OEMs before they can be released at all. Thus all the EOL complaints. It gets worse when SoC component manufacturers refuse to update their blob drivers (and they will NEVER open-source them for stiff competition reasons--they could always move on to IoT if push came to shove). Thus the transition with Nougat and so on. By placing more of the core of the OS under Google's direct control, they have a better chance of pushing security updates regardless of the will of the manufacturer. This also allows them to work around recalcitrant component manufacturers. With better control of the core, they can work around blob driver issues.
I must admit I have more frustrations about things that get changed or broken between updates than I do sense of relief from knowing that I'm running the latest version of something.
I'll probably get downvoted to oblivion for this, but a lot of the risks that get talked about really don't seem like that much of a threat to me personally so I don't see a compelling argument to patch against them.
This latest issue is a good example. If, by some stretch of the imagination, I do allow a piece of software to get onto my phone, and that software gets hold of data about which wifi networks I've been in sight of, then so what?
I may be missing something but I'm not particularly remarkable - I'm just some guy. If it ever did happen, why should I be worried that somebody, somewhere knew I'd been near the wifi in my local Costa? There were a couple of dozen people in there who saw me in person, and I don't perceive any particular threat from that.
Yeah, you need to think for a couple of seconds, and know a bit about the world, before any of this starts to get sinister.
OK - I'll plead stupidity here. Please explain to me why I, as an average Joe, should be threatened by an application's ability to know which wifi networks I've be been near?
So there is a malicious app running on your machine with the ability to send arbitrary to its home.
That means the home can track the user based on the public ip address the request is coming from, in many countries this will be enough to locate to a city or closer (dependent on network structure). In fact if that app sometimes have permissions they can get the information and map wifi information to public ip as well.
Without permissions the only additional information that could be useful I can see is more precise location information inferred from the wifi network name (you are on starbucks wifi or in the library). DNS server name probably doesn't tell much useful, mac address gives information about the device, but I believe an app can get that much easier through the standard apis. As people have mentioned if you've got a malicious app on the device the end user probably has given permissions anyway.
I get that, but my question was in what way is that a threat to me (aside from any slight additional drain on battery)?
Unless I have been specifically targeted (and I won't be - I'm not James Bond, I'm just an average guy who happens to have an Android phone) I don't see why an arbitrary piece of software knows that my a phone is in location 'x' is a threat.
Imagine if Google knew that you were passing a Brewery. Then imagine if the main rival to that brewery had a deal with Google so that whenever a phone passes that brewery or a pub that serves their beer, and advert was beamed to your phone telling you that the brewery you were passing was crap than that you could really drink this other beer.
Scale that up and you see what location based target advertising is all about.
You could even get averts that include your name on an electrinic billboard as you go past.
Is that the world you want?
I don't. Personally, I'd nuke all Ad agencies and then do the same to Google but that's just my opinion but as Google aleady know more about each an every one of us one more refusenik won't make a lot of difference in their battle with Amazon for world domination.
I get that, but my question was in what way is that a threat to me
The answer is that it might be or might not be. You don't have to be James Bond for this to be a problem.
Even in the UK, a journalist for a local paper might find this a problem if they have been trying to track down and write about corruption in the local council awarding planning approvals. An investigative journalist at a national newspaper will certainly be targeted, often by powerful or dangerous people (even if only reporting on extramarital affairs).
Abused women and children also need to have privacy (why do you think people aren't allowed to take photos of their children's school play? It isn't about paedophiles, it is about children who have been removed from abuse possibly being located by the abusers).
And, in some countries almost anyone might accidentally fall foul of government or criminal gangs and need to keep their location hidden.
Sure, maybe you have the luxury of living in a safe country, with no serious enemies and a boring job (just like I do). Or are qualified to make a full analysis of your security risks. But there are many people not in that position and manufacturers need to be forced to fix problems which put these people into danger.
Wi-Fi network name: , BSSID, local IP addresses, DNS server information and the MAC address
Local IP addresses ?
So you can potentially sniff this information from a droid and gather the above info from all devices on the said Wifi Network? I guess from MAC you could potentially identify what equipment may be running on said wireless network. I could be missing some key point but i still cant see how this could be anything but just an annoying vulnerability that leaks some data which is pretty much useless.
Please correct me if i am wrong
Just because you don't use Failbook doesn't mean that it's not tracking you. But let's face it, fix this bug and another one will show up sooner or later. We're all being tracked these days, it's the way that the world works - what we have to do is try and make the information minimal. Android? iPhone? whatever - they are just handheld computers that receive spam phone calls, spam texts and spam emails. Don't do anything that you wouldn't want to advertise on the bogroom wall.
I posted the proof-of-concept that this could be done on this very web site (up to version 5.1 at least) a few months ago, but got no response.
Can I have a belated "scoop" article written please? :-)
https://forums.theregister.co.uk/forum/containing/3520637 (ish) (2 posts)
Apologies for the tone, I was responding to a trolling tosser!
In theory, this is information that a user can refuse an app permission to access, and this exploit is a way to get around that and access it anyway. In practice, almost everyone just blindly accepts whatever permissions an app asks for. So while it's not ideal that the flaw exists and won't be fixed in older versions, it's not really going to make any difference since malicious apps don't need to sneak around trying to find information that they'll be given if they just openly ask for it.
This isn't that big a deal for most users. The issue is that it's not requiring the ACCESS_NETWORK_STATE and ACCESS_WIFI_STATE permissions, which are both considered normal permissions in Android.
Normal permissions don't require explicit consent from the user and are granted on install automatically. So while is is a bug, it's not particularly important to the average user because the average user doesn't pore over Android manifests for every app they install and has likely already granted this permission to many apps.
Apps can already access this information via approved means without asking permission anyway.
“While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data”
So it's up to the developer to enable the "security" that protects sensitive data -- which they might want, but otherwise could not access without permission?
No one could possibly have anticipated that anything could go wrong there.
Isn't this issue all about wifi info leaking, to compromise networks used by the targeted user, not the location of the user?
Interestingly,it appears the enabling app has been available, with no updates, for almost 6 years, so that makes me wonder a bit why it has taken so long to be highlighted as a risk just now.
Which is great. For Google.
Anyone remember the story of the Florida man who killed his wife?. Police found the body by asking the supplier of his flashlight app for the GPS coordinates of the phone while they suspected he was dumping the body.
Which the app suppliers had on their servers.
WTF is that app doing collecting that information. For what? And sending it home?
I know, that's Apple not Android, but (at the very least) there should be something that can basically feed (or generate) Bu***hit data if some app demands that access
Nope, because Google's apps are at the system level, AND they tend to dictate terms on hardware use, meaning they can pretty much detect BS data and there's no practical way to prevent this. Not to mention apps can probably detect BS data and respond by BS'ing YOU. Basically, it's either bend over or get off the airwaves and face the consequences of disconnecting from an always-connected society.
"Nope, because Google's apps are at the system level, AND they tend to dictate terms on hardware use,"
Indeed! Google does keep track of Google's own system apps as well as low-level hardware based apps such as Qualcomm's by regularly sending "hygeine" logs back to Google.
But for some reason, Google DOES NOT keep track of other system level apps which can allow signed, system level malware to go undetected.
I am testing a cheap Android device that has malware installed (and signed) by the device manufacturer that is very similar to the Adups fiasco.
The built in "Play Protect" scans do not test any system level apps and so says that everything is OK.
What the?
So why is it the application developer's responsibility to mask this information?
Netowrking is system level information that only the system should be aware of. Giving the responsibility to keep it private to the apps guys is like putting the personal details of government employees on the web and hoping that China/Russia won't steal it. Because as we all know, not app developers are created equal. This is a big glaring security hole if you ask me.