mailing list archives
Android wireless accepts fake response (No interaction requires) (Vulnerability ?)
From: Security Mailing List <s3clist () hotmail com>
Date: Mon, 12 Mar 2012 13:25:01 +0700
## Android wireless accepts fake response (No interaction requires)
(Vulnerability ?) ##
:: Description ::
I have found Android device's behavior which I deem it is inappropriate.
I am not sure if it can be classified as a vulnerability. The problem
appears when an Android device have connected to hidden SSID wireless
networks. The default behavior of most OSes is to shout out to see if
there is an expected hidden SSID over there. A legitimate access point
would reply with a probe response. However, a rouge access point could
also reply with a fake probe response and continue further negotiation
until it captures WPA handshake. Android devices will automatically and
gratefully accept the fake response while other OSes, including Windows,
iOS, prevent this attack by checking BSSID (MAC address) in the probe
response packet if it match of legitimate access point. The response
will be discarded if the BSSID does not match.
This means that if your company uses hidden SSID wireless network. I
could steal you WPA key when your employees join any conferences. All of
attack processes require no user interactions, no social engineering.
:: Affected Versions ::
Other versions may be affected but I have not tested
:: Reproduce The Attack ::
1. Prepare two access points with the same SSID and same WPA key
2. Enable hidden SSID on both APs
3. Turn off on AP
4. Connect an Android device with the running AP
5. Turn off the first AP
6. Turn on the other AP
7. See your Android device automatically connect to the second AP
Note: If you repeat the same process with iPhone or Windows PC, you will
see that both devices will refuse to connect to the second AP because
BSSID of the second AP does not match with the first one.
:: Report Timeline ::
[+] 31 Jan 2012 :: Reserve CVE-ID from primary CNA (was assigned
[+] 2 Feb 2012 :: Submit in-depth details about this vulnerability to
android security team.
.... (No response) ....
[+] 12 March 2012 :: Submit to Full Disclosure
- Android wireless accepts fake response (No interaction requires) (Vulnerability ?) Security Mailing List (Mar 12)