Novel Abuses On Wi-Fi Direct Mobile File Transfers10 Dec 2020 - Posted by Lorenzo Stella
The Wi-Fi Direct specification (a.k.a. “peer-to-peer” or “P2P” Wi-Fi) turned 10 years old this past April. This 802.11 extension has been available since Android 4.0 through a dedicated API that interfaces with a devices’ built-in hardware which directly connects to each other via Wi-Fi without an intermediate access point. Multiple mobile vendors and early adopters of this technology quickly leveraged the standard to provide their products with a fast and reliable file transfer solution.
After almost a decade, a huge majority of mobile OEMs still rely on custom locked-in implementations for file transfer, even if large cross-vendors alliances (e.g. the “Peer-to-Peer Transmission Alliance”) and big players like Google (with the recent “Nearby Share” feature) are moving to change this in the near future.
During our research, three popular P2P file transfer implementations were studied (namely Huawei Share, LG SmartShare Beam, Xiaomi Mi Share) and all of them were found to be vulnerable due to an insecure shared design. While some groundbreaking research work attacking the protocol layer has already been presented by Andrés Blanco during Black Hat EU 2018, we decided to focus on the application layer of this particular class of custom UPnP service.
This blog post will cover the following topics:
- A Recurrent Design Pattern
- LG SmartShare Beam
- Huawei Share
- Xiaomi Mi Share
A Recurrent Design Pattern
On the majority of OEMs solutions, mobile file transfer applications will spawn two servers:
- A File Transfer Controller or Client (FTC), that will manage the majority of the pairing and transfer control flow
- A File Transfer Server (FTS), that will check a session’s validity and serve the intended shared file
These two services are used for device discovery, pairing and sessions, authorization requests, and file transport functions. Usually they are implemented as classes of a shared parent application which orchestrate the entire transfer. These components are responsible for:
- Creating the Wi-Fi Direct network
- Using the standard UPnP phases to announce the device, the file service description (
/description.xml), and events subscription
- Issuing a UPnP remote procedure call to create a transfer request with another peer
- Upon acceptance from the recipient, uploading the target file through an HTTP POST/PUT request to a defined location
An important consideration for the following abuses is that after a P2P Wi-Fi connection is established, its network interface (
p2p-wlan0-0) is available to every application running on the user’s device having
android.permission.INTERNET. Because of this, local apps can interact with the FTS and FTC services spawned by the file sharing applications on the local or remote device clients, opening the door to a multitude of attacks.
LG SmartShare Beam
Smartshare is a stock LG solution to connect their phones to other devices using Wi-Fi (DLNA, Miracast) or Bluetooth (A2DP, OPP). The Beam feature is used for file transfer among LG devices.
Just like other similar applications, an FTS (
com.lge.wfds.service.send.tx) and an FTC (
com.lge.wfds.service.send.rx) are spawned and listening on ports
As a way of example, the following HTTP requests demonstrate the FTC and the FTS in action whenever a file transfer session between two parties is requested. First, the FTS performs a
CreateSendSession SOAP action:
POST /FileTransfer/control.xml HTTP/1.1 Connection: Keep-Alive HOST: 192.168.49.1:55003 Content-Type: text/xml; charset="utf-8" Content-Length: 1025 SOAPACTION: "urn:schemas-wifialliance-org:service:FileTransfer:1#CreateSendSession" <?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:CreateSendSession xmlns:u="urn:schemas-wifialliance-org:service:FileTransfer:1"> <Transmitter>Doyensec LG G6 Phone</Transmitter> <SessionInformation><?xml version="1.0" encoding="UTF-8"?><MetaInfo xmlns="urn:wfa:filetransfer" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:wfa:filetransfer http://www.wi-fi.org/specifications/wifidirectservices/filetransfer.xsd"><Note>1 and 4292012bytes File Transfer</Note><Size>4292012</Size><NoofItems>1</NoofItems><Item><Name>CuteCat.jpg</Name><Size>4292012</Size><Type>image/jpeg</Type></Item></MetaInfo> </SessionInformation> </u:CreateSendSession> </s:Body> </s:Envelope>
SessionInformation node embeds an entity-escaped standard Wi-Fi Alliance schema, urn:wfa:filetransfer, transmitting a CuteCat.jpg picture.
The file name (
MetaInfo/Item/Name) is displayed in the file transfer prompt to show to the final recipient the name of the transmitted file. By design, after the recipient’s confirmation, a
CreateSendSessionResponse SOAP response will be returned:
HTTP/1.1 200 OK Date: Sun, 01 Jun 2020 12:00:00 GMT Connection: Keep-Alive Content-Type: text/xml; charset="utf-8" Content-Length: 404 EXT: SERVER: UPnPServer/1.0 UPnP/1.0 Mobile/1.0 <?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:CreateSendSessionResponse xmlns:u="urn:schemas-wifialliance-org:service:FileTransfer:1"> <SendSessionID>33</SendSessionID> <TransportInfo>tcp:55432</TransportInfo> </u:CreateSendSessionResponse> </s:Body> </s:Envelope>
This will contain the
TransportInfo destination port that will be used for the final transfer:
PUT /CuteCat.jpeg HTTP/1.1 User-Agent: LGMobile Host: 192.168.49.1:55432 Content-Length: 4292012 Connection: Keep-Alive Content-Type: image/jpeg .... .Exif..MM ...<redacted>
What could go wrong?
Unfortunately this design suffers many issues, such as:
- A valid session ID isn’t required to finalize the transfer
CreateSendSessionResponseis issued, no authentication is required to push a file to the opened RX port. Since the
DEFAULT_HTTPSERVER_PORTfor the receiver is hardcoded to be
55432, any application running on the sender’s or recipient’s device can hijack the transfer and push an arbitrary file to the victim’s storage, just by issuing a valid
PUTrequest. On top of that, the current Session IDs are easily guessable, since they are randomly chosen from a small pool (
- File names and type can be arbitrarily changed by the sender
Since the transferred file name is never checked to reflect the one initially prompted to the user, it is possible for an attacker to specify a different file name or type from the one initially shown just by changing the
PUTrequest path to an arbitrary value.
- It is possible to send multiple files at once without user confirmation
Once the RX port (
DEFAULT_HTTPSERVER_PORT) is opened, it is possible for an attacker to send multiple files in a single transaction, without prompting any notification to the recipient.
Because of the above design issues, any malicious third-party application installed on one of the peers’ devices may influence or take over any communication initiated by the legit LG SmartShare applications, potentially hijacking legit file transfers. A wormable malicious application could abuse this insecure design to flood the local or remote victim waiting for a file transfer, effectively propagating its malicious APK without user interaction required. An attacker could also abuse this design to implant arbitrary files or evidence on a victim’s device.
Huawei Share is another file sharing solution included in Huawei’s EMUI operating system, supporting both Huawei terminals and those of its second brand, Honor.
In Huawei Share, an FTS (
com.huawei.android.wfdft.fts) and an FTC (
com.huawei.android.wfdft.ftc) are spawned and listening on ports
On a high level, the Share protocol resembles the LG SmartShare Beam mechanism, but without the same design flaws.
Unfortunately, the stumbling block for Huawei Share is the stability of the services: multiple HTTP requests that could respectively crash the
FTSService were identified. Since the crashes could be triggered by any third-party application installed on the user’s device and because of the UPnP General Event Notification Architecture (GENA) design itself, an attacker can still take over any communication initiated by the legit Huawei Share applications, stealing Session IDs and hijacking file transfers.
Abusing FTS/FTC Crashes
In the replicated attack scenario, Alice and Bob’s devices are connected and paired on a Direct Wi-Fi connection. Bob also unwittingly runs a malicious application with little or no privileges on his device.
In this scenario, Bob initiates a file share through Huawei Share 1. His legit application will, therefore, send a
CreateSession SOAP action through a POST request to Alice’s
FTCService to get a valid
SessionID, which will be used as an authorization token for the rest of the transaction. During a standard exchange, after Alice accepts the transfer on her device, a file share event notification (
NOTIFY /evetSub) will fire to Bob’s
FTSService will then be used to serve the intended file.
NOTIFY /evetSub HTTP/1.1 Content-Type: text/xml; charset="utf-8" HOST: 192.168.49.1 NT: upnp:event NTS: upnp:propchange SID: uuid:e9400170-a170-15bd-802e-165F9431D43F SEQ: 1 Content-Length: 218 Connection: close <?xml version="1.0" encoding="utf-8"?> <e:propertyset xmlns:e="urn:schemas-upnp-org:event-1-0"> <e:property> <TransportStatus>1924435235:READY_FOR_TRANSPORT</TransportStatus> </e:property> </e:propertyset>
Since an inherent time span exists between the manual acceptance of the transfer by Alice and its start, the malicious application could perform a request with an ad-hoc payload to trigger a crash of
FTSService 2 and subsequently bind to the same port its own
FTSService 3. Because of the UPnP event subscription and notification protocol design, the
NOTIFY event including the
1924435235 in the example above) can now be intercepted by the fake
FTSService 4 and used by the malicious application to serve arbitrary files.
The crashes are undetectable both to the device’s user and to the file recipient. Multiple crash vectors using malformed requests were identified, making the service systemically weak and exploitable.
Xiaomi Mi Share
Introduced with MIUI 11, Xiaomi’s MiShare offers AirDrop-like file transfer features between Mi and Redmi phones. Recently this feature was extended to be compatible with devices produced by the “Peer-to-Peer Transmission Alliance” (including vendors with over 400M users such as Xiaomi, OPPO, Vivo, Realme, Meizu).
Due to this transition, MiShare internally features two different sets of APIs:
- One using bare HTTP requests, with many RESTful routes
- One using mainly Websockets Secure (WSS) and only a handful of HTTPS requests
The websocket-based API is currently used by default for transfers between Xiaomi Devices and this is the one we assessed. As in other P2P solutions, several minor design and implementation bugs were identified:
The JSON-encoded parcel sent via WSS specifying the file properties is trusted and its
fileSizeparameter is used to check if there is available space on the device left. Since this is the sender’s declared file size, a Denial of Service (DoS) exhausting the remaining space is possible.
Session tokens (
taskId) are 19-digits long and a weak source of entropy (java.util.Random) is used to generate them.
Just like the other presented vendor solutions, any third-party application installed on the user’s device can meddle with MiShare’s exchange. While several DoS payloads crashing MiShare are also available, for this vendor the file transfer service is restarted very quickly, making the window of opportunity for an attack very limited.
On a brighter note, the Mi Share protocol design was hardened using per-session TLS certificates when communicating through WSS and HTTPS, limiting the exploitability of many security issues.
Some of the attacks described can be easily replicated in other existing mobile file transfer solutions. While the core technology has always been there, OEMs still struggle to defend their own P2P sharing flavors. Other common vulnerabilities found in the past include similar improper access control issues, path traversals, XML External Entity (XXE), improper file management, and monkey-in-the-middle (MITM) of the connection.
All vulnerabilities briefly described in this post were responsibly disclosed to the respective OEM security teams between April and June 2020.