Core Security put out a security advisory onSeclists on Monday indicating that attackers could potentially remotely execute a denial-of-service attack or force a reboot when the targeted Android device scanned for Wi-Fi Direct devices to which it could connect.
Wi-Fi Direct is wireless technology that enables two devices to connect to each other over peer-to-peer Wi-Fi without a router, and has been on an assortment of consumer electronics devices, including smartphones and Wi-Fi adapters, since 2008.
“Some Android devices are affected by a Denial of Service attack when scanning for WiFi Direct devices,” reads the advisory from the Boston-based security firm.
“An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.”
This vulnerability (CVE-2014-0997) affects the Nexus 5 and Nexus 4 smartphones running on Android 4.4.4 as well as the LG D806 and Samsung SM-T310 on Android 4.2.2. The Motorola RAZR HD, on Android 4.1.2, is also at risk. The latest major version of Android – 5.0 Lollipop – is not vulnerable however.
Researchers alerted Google to this issue last September, although the search giant – which responded within the given time-frame in October – said that the issue is ‘low risk' and it has no immediate plans to patch.
Core Security held off on publishing these details as it tried to convince the tech giant to change its mind. However, the situation has not changed so Core Security told Google it would publish the advisory on 26 January, which it has now done.
Carl Leonard, security researcher and regional head at Websense Security Labs, agrees that the risk is low, with a would-be attacker needing to be close by to remotely compromise an Android device.
“Having reviewed this from a risk perspective the risk is low. Although proof of concept code could be utilised by someone with ill intent, due to the close proximity required the average Android user shouldn't be alarmed just yet,” he told SCMagazineUK.com.
Tom Wilson, research analyst at pentesting outfit Nettitude, agreed that the attacker would need to be nearby but said that there were clearly situations where the flaw could be exploited.
“This appears to be a denial of service bug that requires the attacker to be within proximity of the hardware,” he said in an email to SC. “Clearly, there will always be situations where this could be used within higher risk environments or targets where the impact could be significant, but the vulnerability itself is not a game-changer. As we have seen in recent days, Google has been releasing zero-days for other vendors while bugs remain in Android 4.3 and below.
“There is currently lots of discussion about the exploitable bugs in their WebKit rendering code. The problems reportedly affect over 60 percent of Android users and there are already 11 exploits for WebKit available in Metasploit.”