CVE-2017-13322 - How a Logic Error in Android's PhoneInterfaceManager Could Block Emergency Calls

Android is known for its robust security model, but sometimes even a small logic error can have serious consequences. CVE-2017-13322 is a security flaw in Android that could let a normal app prevent your phone from calling 911 or other emergency numbers — meaning that during a critical moment, you might be unable to reach help. In this post, we'll break down what went wrong inside the endCallForSubscriber method of PhoneInterfaceManager.java, why it matters, and how an attacker could exploit it to cause a denial of service (DoS) for emergency calls. We'll use simple language and exclusive, easy-to-read explanations.

User Interaction Needed: No

This vulnerability means that a normal app—one you might download from Google Play—could block your ability to make emergency calls by exploiting a logic error, even though it has no special permissions.

How the Vulnerability Was Introduced

The root of the problem lies in a public method called endCallForSubscriber in the Android telephony service, which is responsible for ending ongoing calls. The goal is for only trusted system code to end emergency calls, but a logic error means even normal apps can terminate calls, including calls to emergency services.

Here’s a simplified snippet showing what this function does

// PhoneInterfaceManager.java (Simplified Example)
public boolean endCallForSubscriber(int subId) {
    enforceReadPrivilegedPhoneState("endCallForSubscriber"); // Supposed to check for permissions
    
    // Logic error: Emergency call check is missed or misplaced here
    
    Phone phone = getPhone(subId);
    if (phone != null) {
        return phone.endCall(); // Ends the call, even for emergency numbers
    }
    return false;
}

Where's the problem?
The code checks some permissions, but it doesn't properly verify if the call being ended is an emergency call. As a result, an attacker can call this API (e.g., via the public telephony service) and force-close any call—including an emergency call. There should have been a logic check restricting this action.

Let's say the user tries to call emergency services.

- The malicious app detects the outgoing call (using normal, allowed broadcast receivers or by polling call state APIs).

Proof-of-Concept (PoC) Snippet

Disclaimer: This is for educational purposes—never use it for malicious reasons.

Here's a conceptual Java/Kotlin PoC (works only on vulnerable Android versions with developer/root access):

// WARNING: This is a proof-of-concept for demonstrating the bug.
TelephonyManager telephonyManager = (TelephonyManager) context.getSystemService(Context.TELEPHONY_SERVICE);

try {
    // Reflection to access hidden methods
    Method getITelephony = telephonyManager.getClass().getDeclaredMethod("getITelephony");
    getITelephony.setAccessible(true);
    Object iTelephony = getITelephony.invoke(telephonyManager);

    // This would call endCall(), even for emergency calls (in vulnerable versions)
    Method endCall = iTelephony.getClass().getDeclaredMethod("endCallForSubscriber", int.class);
    endCall.setAccessible(true);
    endCall.invoke(iTelephony, /*subId=*/); // Or the right subscription ID
} catch (Exception e) {
    e.printStackTrace();
}

Note: Real modern Android versions require special permissions, but in the vulnerable versions, these protection checks were weak or missing.

Why This Is Serious

Emergency calls are the last line of defense in a crisis. If malware or a buggy app can stop your device from reaching 911, the results could be deadly. That's why Google treats these bugs with top priority.

References and More Reading

- Official Android Security Bulletin, January 2018
- CVE-2017-13322 on NVD (National Vulnerability Database)
- Android TelephonyManager Hidden Methods
- Android Open Source Project - PhoneInterfaceManager.java (reference)

Fix and Recommendations

Patched:
Google fixed this issue in the January 2018 update (Android Security Bulletin). The fix ensures that only the system or privileged apps can end emergency calls.

What You Should Do:

In Short

CVE-2017-13322 was a critical logic flaw in Android that let apps end emergency calls locally by exploiting a mistake in PhoneInterfaceManager.java. No permission or special action was needed. It could have put lives at risk, so it's a great example of why every line of code needs careful security review.

Stay safe—always update your phone!

*This post uses exclusive, clear explanations and code examples to help everyone understand why CVE-2017-13322 matters.*

Timeline

Published on: 01/17/2025 23:15:10 UTC
Last modified on: 01/23/2025 19:54:01 UTC