No fix in sight for ​Android Wi-Fi Direct vulnerability

Google and a security company don't see eye-to-eye over a bug that can cause some Android devices to reboot under a remote attacker's orders.
Written by Liam Tung, Contributing Writer

Some Android security bugs Google won't fix because it can lead to other difficulties, and some bugs it's in no rush to fix because it deems them not serious enough to warrant a speedy patch.

A vulnerability in the latter camp has emerged this week. Core Security reported a bug to Google last September and published details about the flaw on Monday, after disagreeing with Google's assessment of the vulnerability. The flaw is found in Wi-Fi Direct, a wi-fi standard adopted in Android which allows devices like smartphones, games consoles, and laptops to connect to each other directly.

Core Security's disclosure of the flaw this week was the last phase in an ongoing dispute between the two organisations over whether the bug is actually critical.

According to Core Security, an attacker could strike vulnerable Android smartphones when they scan for other Wi-Fi Direct devices, and a successful attack could trigger a reboot or 'denial of service'.

"An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class," Core Security said in its advisory.

Core Security reported the issue to Google's Android security team on September 26 and, following Google's confirmation that it had received the report, Core Security said it would publish details of the bug on October 20.

Just before the October deadline, the Android security team told Core Security the bug was "low severity" and that it didn't have a timeline for when it would release a fix. The security firm decided to withhold publishing details of the bug while it attempted to convince Google it was more serious than the search giant believed. However Google maintained its position and reiterated there was no timeline for a fix.

Core Security notified Google it intended to publish its advisory on January 26, which it has now done.

The bug has been confirmed to affect a subset of Android devices, including the Nexus 4 and Nexus 5 running Android 4.4.4 KitKat; the LD model D806 and Samsung SM-T310, both running Android 4.2.2; and the Motorola RAZR HD running Android 4.1.2. However, devices running Android 5.0.1 and Android 5.0.2 are not.

The bug is related to Android's use of a modified version of *wpa_supplicant* component of wi-fi to handle information exchange in Wi-Fi Direct.

"On some Android devices when processing a probe response frame with a WiFi-Direct(P2P) information element that contains a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException," Core Security said. "As this exception is not handled the Android system restarts."

One factor that reduces the severity of the bug is that WiFi Direct devices aren't always scanning for connections, Jon Oberheide, founder of Duo Security, told Threat Post. While the flaw can be exploited remotely, the attacker would also need to be nearby, he added.

Read more on Android security

Editorial standards