A vulnerability has been found in the Android operating system which broadcasts sensitive system data through WiFi broadcasting signals. This vulnerability is found to send out this data to all applications on the device to use as desired. This means that your WiFi network name, BSSID, local IP addresses, DNS server information, and MAC address are all revealed to applications on the device to use, information which would other wise require the penetration of a few layers of security before coming out plain.
In versions of the Android operating system 6 and above, some of this information is either unavailable or tougher to access but the principle of bypassing the security stands that if native applications pay attention to the broadcasts, they can decipher and derive this information.
The greatest concern with information such as a device’s MAC address getting out is the fact that MAC addresses are unique to the particular devices they represent. Using such information, a particular device can be tracked despite the employment of MAC address randomization. Using databases like WiGLE, a device’s physical location can also be tracked by matching its network name and BSSID against the information available in the database. This is a severe violation of privacy and security of individuals through their devices.
All versions of Android irrespective of the device models and brands they’re running on are expected to be affected by this vulnerability. The vulnerability has been given the CVE identification label CVE-2018-9489 for further investigation. It is believed to affect the Amazon Fire OS on the Kindle as well in the same way.
It seems that Google has updated its latest operating system versions Android P and 9 to mitigate this security vulnerability but there is no news yet on whether the company intends to resolve the issue in older versions of the operating system as well, and if so, when. Researchers are still looking into this vulnerability to discover whether any other operating systems are affected or whether the concept is being used to exploit random devices remotely as well.