Google has been hard at work cleaning up Android’s code and making future releases safer. They have consistently made design choices this year that would make security patches easier to deploy. Even after painstaking efforts by the devs to patch up vulnerabilities, there seems to be a new one cropping up.
A vulnerability has been discovered in Android’s RSSI broadcasts by researchers. Android being open source, there are several methods of communication channels between different apps and the OS, applications can use the “intent” channel to broadcast system wide messages that can be picked up by other apps. There are ways to restrain the broadcast from going to certain apps, but due to negligence from some developers these restrictions aren’t imposed properly.
Google has implemented permissions in Android, which prompts the user before the OS hands over relevant data to an application. This is a great security feature, but unfortunately no special permission is required to broadcast WiFi strength value. The strength of the signal received by the device is represented by RSSI values. Although this doesn’t correlate to dBm values (physical).
Android version 9.0 has different “intent” for these values, “android.net.wifi.STATE_CHANGE”. While older versions still use the “android.net.wifi.RSSI_CHANGED” intent. Both of these give away RSSI values by broadcast, bypassing permissions required normally.
According to the source article from nightwatchcybersecurity, this can be replicated by normal users. You just have to install the “Internal Broadcaster Monitor” App, and run it. You will be able to observe the RSSI values broadcasted from your device.
This was even tested on several devices by nightwatchcybersecurity.
Pixel 2, running Android 8.1.0, patch level July 2018
Nexus 6P, running Android 8.1.0, patch level July 2018
Moto G4, running Android 7.0, patch level April 2018
Kindle Fire HD (8 gen), running Fire OS 5.6.10, which is forked from Android 5.1.1, updated April 2018
Router used was ASUS RT-N56U running the latest firmware
All of them showed a unique range of RSSI values.
Google has acknowledged the issue and classified it as a moderate level exploit. This was partially fixed in Android 9.0, as one of the intents doesn’t churn out sensitive data.
RSSI values can be used to geo-locate individuals on local wifi networks. Given that it effects every android phone, irrespective of the vendor, this can become a severe security issue, if left unpatched.