On most unrooted, stock, Android phones, enabling tethering will run a "Provisioning Check" with your wireless provider to ensure that your data plan allows tethering. This post documents Tethr, a way to bypass the provisioning check on Android devices prior to version 7.1.2. After discovering this method I reported it to the Android bug bounty fixing the issue and receiving CVE-2017-0554.

Background

The ability to tether is controlled by your device's build.prop file, usually located at /system/build.prop . The default is to require the provisioning check before enabling tethering, but it can by bypassed by adding the following line:

net.tethering.noprovisioning=true

Unrooted devices can't edit /system/build.prop , so it is up to the ROM manufacturer to set this property. Some devices like the Google Nexus 6P default to net.tethering.noprovisioning=true . But this is an exception and not the norm. The Google Nexus 5X, Pixel, and Pixel 2 all perform provisioning checks.

Overview

When enabling tethering on Android, the OS will first do a provisioning check with the carrier to determine if the user’s plan allows tethering. If allowed, tethering is enabled, otherwise a message is displayed to the user.

If there is no sim card inserted then no provisioning check is performed, and tethering is allowed. Additionally, if tethering is enabled on a phone with no sim (not that this scenario would be of much use) and a SIM is then inserted, tethering is disabled as it should be.

However, if tethering is enabled while the radio is connecting, no provisioning check will be performed, and tethering will remain enabled after the radio connection is established.

The first issue I discovered is the ability for a user-installed application on a stock OS to reset the cellular modem. The second issue is the lack of a provisioning check once the cellular modem has finished reconnecting.

Together these bugs allow the Android OS to operate as if net.tethering.noprovisioning=true were specified in build.prop , even if it is not.

Tethr Demo

Before I dive into the details, observe the following video which demonstrates when enabling tethering in the Android system UI, a provisioning check is performed and tethering is not allowed. Then when using the Tethr demo app, the signal meter loses signal when the modem is resetting, and then tethering is successfully enabled.

Source code: github.com/lanrat/tethr

Compiled APK: Tethr.apk

Issue 1: Resetting radio via reflection

Java Reflection in Android can be used to allow application code to make calls to undocumented, or hidden APIs. This is not officially supported, and often strongly discouraged. It can however, allow app developers to do unsupported things, or in this case, bypass a permission check.

Resetting the cellular radio is performed in CellRefresh.java by calling CellRefresh.Refresh() .

CellRefresh does a number of things to reset the cellular connection on most Android versions, but on Android 6+ the following reflections are used:

getSystemService(Context.TELEPHONY_SERVICE).getITelephony().setCellInfoListRate() getSystemService(Context.CONNECTIVITY_SERVICE).mService.setMobileDataEnabled();

Older Android versions use the following reflections:

getSystemService(Context.CONNECTIVITY_SERVICE).mService.setRadio(); getSystemService(Context.TELEPHONY_SERVICE).getITelephony().disableDataConnectivity() getSystemService(Context.TELEPHONY_SERVICE).getITelephony().enableDataConnectivity()

Solution

The methods used should require the application to have the system or privileged permissions.

Issue 2: Tethering provisioning check race condition

In order to exploit the race condition and bypass the tethering provisioning check an Android PhoneStateListener and AccessibilityService are used to programmatically enable the desired tethering mode at exactly the right time.

First the network is reset as described above. While the reset is being performed the PhoneStateListener (TetherPhoneStateListener.java) listens for when the cellular network is down and then starts the system’s settings tethering dialog where the AccessibilityService (TetherAccessibilityService.java) finds the correct UI switch and toggles it.

The AccessibilityService and PhoneStateListener are not strictly required for this exploit. The user can manually toggle tethering at the correct time to have the same effect. Automating the process with an AccessibilityService makes the process easier to reproduce.

Solution

The provisioning check should happen each time the radio is reset when tethering is enabled in addition to checking when enabling tethering.

Testing

Tested Wireless Carriers:

Verizon

AT&T

Tested phones (all stock, locked bootloaders, OEM OS):

Nexus 5X running Android 6.0.1

Nexus 5X running Android 7.0.0

Nexus 5X running Android 7.1.1

Samsung Galaxy S7 running Android 6.0.1

Untested but should also work on:

Pixel (XL)

Other non-nexus devices that perform a provisioning check

As the Nexus 6P already has net.tethering.noprovisioning=true set in its stock build.prop there is no need for this exploit.

Fixes

After submitting to the Android Bug Bounty Google created two patches for Android 7.1.2 which fixed this issue.

Patch 1: Added permission check for setCellInfoListRate



Patch 2: Fixed the logic for tethering provisioning re-evaluation



After fixing the issue Google was kind enough to give me a Pixel XL for reporting it to their bug bounty.