Android Wi-Fi Vulnerability (CVE-2017-0561) Fixes

TL;DR

The CVE-2017-0561 vulnerability affects many Android devices due to a flaw in the Broadcom Wi-Fi chip. A full fix relies on manufacturers releasing updates, which can be slow. Here’s how to mitigate risk while you wait, and what to do if an update isn’t available.

Understanding the Problem

CVE-2017-0561 is a serious cyber security vulnerability in Broadcom Wi-Fi chips used by many Android phone makers. It allows attackers to remotely execute code on your device simply by connecting to a malicious Wi-Fi network. This means they could potentially take control of your phone.

Steps to Mitigate the Risk

1. Check for Updates: This is always the first step.
   • Go to Settings > System > System update (the exact path varies by phone maker).
   • Install any available updates immediately. Manufacturers often include fixes for vulnerabilities like this in their regular security patches.
2. Disable Wi-Fi Direct: This feature is a common attack vector.
   • Go to Settings > Wi-Fi > Advanced (or similar).
   • Turn off Wi-Fi Direct. If you don’t use it, disabling it reduces your risk.
3. Be Careful with Public Wi-Fi: Avoid untrusted networks.
   • Only connect to Wi-Fi networks you know and trust.
   • Avoid public, open Wi-Fi hotspots without passwords whenever possible. If you must use them, use a Virtual Private Network (VPN).
4. Use a VPN: A VPN encrypts your internet traffic.
   • Install a reputable VPN app from the Google Play Store.
   • Connect to the VPN before using public Wi-Fi networks.
5. Check Your Device Manufacturer’s Security Bulletins: Manufacturers publish lists of patched vulnerabilities.
   • Search online for “[Your Phone Maker] security bulletin”. For example, “Samsung security bulletin”.
   • Look for CVE-2017-0561 in the list to confirm if your device has been patched.
6. Rooting and Custom ROMs (Advanced): If your manufacturer doesn’t provide updates…
   • Warning: Rooting voids your warranty and can brick your phone if done incorrectly. Proceed with extreme caution!
   • Consider installing a custom ROM like LineageOS that includes the security patch. These often have more up-to-date security features than official firmware.
     You may need to unlock your bootloader first, which will erase all data on your device.

   fastboot flashing unlock

7. ADB Verification (Advanced): Check if the vulnerable driver is present. This requires some technical knowledge and a computer with ADB installed.
   • Connect your phone to your computer via USB, ensuring USB debugging is enabled in Developer Options.
   • Open a command prompt or terminal.
   • Run the following command:

     adb shell ls /system/lib/modules

   • Look for a module named wpa_supplicant or similar Broadcom-related modules. The presence of these doesn’t *guarantee* vulnerability, but it indicates you may be affected.

Important Considerations

• No Guarantee: These workarounds don’t guarantee complete protection. They reduce your risk significantly, but a determined attacker might still find ways to exploit the vulnerability.
• Manufacturer Responsibility: The ultimate responsibility for fixing this lies with your phone manufacturer. Contact them and request an update if one isn’t available.