Shared design flaws discovered in Huawei, LG, and Xiaomi smartphones allowed attackers to hijack file transfer sessions
Security vulnerabilities in the direct file transfer applications of popular smartphone makers allow attackers to send malicious files to mobile devices, a security researcher has found.
In a study of the peer-to-peer (P2P) file-sharing features of Android phones manufactured by Huawei, LG, and Xiaomi, Doyensec application security engineer Lorenzo Stella found shared design flaws that allowed malicious apps to easily hijack transfer sessions.
Access to file-sharing services
Previous research on the WiFi Direct protocol focused on the network architecture, covering the discovery and connection processes and the various frame formats.
“We instead focused on what happens after a local P2P WiFi connection is created between two devices, specifically in the application layer, analyzing file transfer applications featured in many custom Android ROM shipped by the various vendors,” Stella told The Daily Swig.
Most OEMs use a File Transfer Controller or Client (FTC) and a File Transfer Server (FTS) to establish WiFi connections between devices, manage sessions, and transfer files.
In his research, Stella found that after the P2P WiFi connection is established, its interface will become available to every application that has android.permission.INTERNET.
“Because of this, local apps can interact with the FTS and FTC services spawned by the file sharing applications on the local or remote device clients, opening the door to a multitude of attacks,” Stella wrote in a blog post that details the vulnerabilities.
Hijacking file-sharing sessions
Stella found that after creating a session on SmartShare Beam, the P2P file-sharing feature of LG phones, sending files to the receiving port requires no authentication.
The service also uses a hard-coded receiving port and generates its session IDs from a very small pool of random numbers. This makes it easy for a malicious app to hijack the file transfer session and send a malicious file to the receiving device.
“After a P2P WiFi connection is established (for example, when a user wants to send a file) any other application running on the user’s device is able to use the P2P interface to interfere with the transfer,” Stella said.
“For LG SmartShare Beam we found that no authorization from the end user was required to push a file to the remote or local device.”
Some attacks could be blocked by mutual TLS authentication that uses per-session certificates
In the blog post, Stella also notes that an attacker can change the name of the sent file or send multiple files in a single transaction.
Huawei’s ‘Share’ service didn’t have the same design flaws but suffered from stability issues. A third-party app can cause the FTS service to crash and launch its own malicious service to hijack file transfer sessions.
“The crashes are undetectable both to the device’s user and to the file recipient. Multiple crash vectors using malformed requests were identified, making the service systemically weak and exploitable,” Stella writes.
Finally, Stella examined Xiaomi’s ‘Mi Share’ feature, which was prone to denial-of-service (DoS) attacks and had weak randomized session numbers.
“The security design of these applications could benefit from several improvements to guard against rogue local apps,” Stella said.
For example, adding mutual TLS authentication using per-session certificates could help to prevent some of the described attacks, Stella notes, given the certificates are generated and exchanged via BLE before the P2P network is created and are not renegotiated after the initial connection.
The applications must also avoid unencrypted and unauthenticated traffic.
“This would still not guarantee the stability of the services (i.e. if any DoS is found) but could be effective against rogue applications’ attacks trying to crash the service,” he says.
A fragmented landscape
P2P WiFi file transfer has existed for 10 years, but device manufacturers have not yet managed to consolidate their solutions and insist on their own proprietary applications, which makes it difficult to secure them.
“While the core technology has always been there, OEMs still struggle to defend their own P2P sharing flavors,” Stella writes, adding other mobile file transfer solutions might also be vulnerable to attacks he has found.