Android, Qualcomm move on insecure GPS almanac downloads
HTTPS? They've heard of it
Nearly a decade after it introduced assisted-GPS in its mobile chipsets, Qualcomm has squished a bug that allowed miscreants to mess around with people's location services, or crash their phones.
In 2007, Qualcomm made GPS signal acquisition faster by using an almanac of satellites. Instead of having to acquire signals blindly, Qualy's gpsOneXTRA tech tells the handset where it should be looking.
However, as Nightwatch Security Research noted in an advisory on Monday, some implementations use unencrypted and unauthenticated HTTP instead of HTTPS to fetch the almanac files. The issue's been given CVE-2016-5341.
The advisory notes that each time a device – in the Nightwatch test, it was a Motorola Moto G – connects to Wi-Fi, an operating system level process fetches the almanac.
“Our examination of network traffic and the Android source code revealed that the network calls did not use SSL or any other encryption or authentication technology, and that the specific files we tested were not digitally signed.”
A man-in-the-middle attacker could substitute a file with fake GPS information, the advisory states (Vulture South wonders if a malicious file could do other things to the target, but that wasn't tested by Nightwatch).
Faking the almanac data probably looks like a nuisance-level attack: the phone would cycle around looking for satellites that aren't there, with location disabled.
However, in its December security bulletin, Google noted that sending a fake .bin masquerading as the GPS almanac could hang devices, and gave it a “High” severity rating.
Google devices will get the 2016-12-05 security update over the air; owners of other 'droids have to wait until their OEMs roll out updates.
The bug only affects Android implementations, the advisory says, because they fetch their almanac files from the Qualcomm domains gpsonextra.net and izatcloud.net. Apple and Microsoft use internal mechanisms to deliver the files.
Qualcomm is working with its OEMs to switch to HTTPS connections to conceal and protect GPS almanac information in encrypted streams. ®