Tightwads
$1,337, what a reward (apart from leet) for a bug that can affect a billion phones. What a bunch of tightwads!
Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …
Let me see, a vector that is present on every single Android phone in the market, cannot be stopped and can barely be contained, with the end game being complete control of all data on the phone for a billion potential users ?
I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.
I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.
PR disaster to whom? Goggle have a nice fix all ready, the blame for any infections will be firmly placed at the door of Vodafone/EE/SFR/Sprint/etc. who never ship upgrades after the first year or so. Agreed $1337 isn't much, but $1m is way over the top. Maybe $10K and a new Nexus phone?
Looking at the exploit market (there's a nice article on Bruce Schneier's blog today) it would be in the hundred of thousands of dollars at a guess. A exclusive 0-day for the desktop is about $100-$150k. A generic unpatchable flaw for a billion phones - well perhaps $1 million isn't too fanciful after all.
Hopefully Microsoft will release a Windows Mobile installer for Android handsets via their work with Cyanogen, then at least there will be a more secure OS update option.
(From existing dual boot testing on the same hardware, we already know WM is faster and the battery lasts longer too.)
Article at NPR suggests the immediate removal of Google Hangouts:
http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text
"The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says."
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:
media.stagefright.enable-player=false
(Root is required to modify build.prop)
Wiping the MMSC,MMS proxy & MMS port APN fields *might* help, should stop it fetching any MMS body. No guarantees though and I'd bet on there being plenty of other ways to trigger stagefright badness.
There's simply no excuse for carriers and device manufactures not being able to quickly push a dll update and nailing this. Wont happen without heavy handed regulation - or at least the threat of huge fines.
On some networks you can't received MMS without first sending one, a large number of users might quite accidentally be protected because only hackers are likely to voluntarily use MMS today. That's aiming their SMS use didn't trigger conversion of long texts to MMS though.
Right:- I have turned off MMS upload (never used the system anyway)
- I don't use hangouts
- I never installed Viber.
- Media playack by VLC
What else?
Why are you assuming that VLC... Is any safer then say Kodi?! Do you even know what Stagefright does?! Or would you just be assuming that its only something that gets installed along with Kodi?!
FYI -- Stagefright is the Hardware Acceleration CODECs needed by your Device in order to playback pretty much every Media File you have, and unless I'm missing my guess here... This shall also include such mundane things like *.mp3's.
So someone shall have to explain this one to my why VLC should be any safer then the next Player?!
I wonder how hard this would be to block at the MMSC end? Although we all know how much networks like to get off their arse and do something useful... They love acting as dumb pipes, but only when it suits them!
Oh well, given I haven't received an MMS in over a year, I just mangled the details in the APN... That should keep things safe... At least until an update arrives, which I expect won't be long on my Nexus.
I fear for the security of OEM devices though.
Later Slashdot commentary suggests disabling several more stagefright booleans in build.prop; I have only left the recording entry enabled, and even that may be a mistake. I am running Alliance on exynos; stock may have more concerns. I've survived several reboots with stage fright lobotomized.
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:media.stagefright.enable-player=false
(Root is required to modify build.prop)
Great so I managed to kill off stagefright.... How the Hell do I use my seemingly legit Kodi Install (Google Playstore), to watch stuff on my Phablet now?! Speaking about Kodi I guess it would be an even higher infection vector, in the sense, that its raison d'etre IS to play Movies (i.e. Clips)... Not above the board. (i.e From unknown sources). While there hasn't been much said about it. I don't think this is the first instance of a Video managing to pw0n some System. (Thinking of Windows here),.
But, Kodi (Formerly known as XBMC), or in some cases SPMC. Damned well nearly relay on stagefright to work. Assuming you wanted your Movies to actually work.
'Cause VLC would as likely as not also rely on the Stagefright CODECs to Videos to actually work.... Since its actually part of the Android -- Linux System, and would NOT otherwise be included with Kodi, or VLC... It's hardly like we could expect them to fix it for us. I'd imagine a Patch in-and-of-itself wouldn't take the World to fix.... But, getting that Patch out to everyone who'd needs it, is. Google need to have a re-think about how to bypass the OEM's to allow those who need to get Security Patches, to then actually get them... FAST!
Then again... With no credible third Mobile OS out there, they still have time.... I suppose. And NO WinPho... Is in my book anything BUT, credible.... As bad as Android might be.... I'd still would have it over WinPho every time. This just makes me wish that the Ubuntu Phone was a bit closer to reality now though.
That workaround might block one attack vector, but note the vulnerability is in Stagefright - Android's media playback engine. Hence I wonder whether the attack merely needs to get the user to run a suitability crafted video using a viewer that uses Stagefright. The use of MMS is obviously concerning because of the various under the hood (ie. not visible to user and out of user's control) actions that can be automatically triggered via MMS.
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:
media.stagefright.enable-player=false
(Root is required to modify build.prop)
Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.
media.stagefright.enable-player=false
Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.
Can you post a link to this discussion? I have already disabled several stagefright booleans in my build.prop and rebooted without issue.
I have found these two references on boot-loop problems disabling the stagefright booleans in build.prop:
http://forum.xda-developers.com/showpost.php?p=62069940&postcount=8
http://forum.xda-developers.com/showpost.php?p=62073754&postcount=18
The user in the final post did not preserve ownership/permissions on the build.prop file. His boot-loop had nothing directly to do with disabling stagefright.
I used the busybox vi editor with an external keyboard to change my build.prop, obviating this issue.
I have seen no clear evidence that disabling stagefright will harm the Android OS if done correctly and with care (YMMV).
Here are additional resources:
http://fkwon.blogspot.com/2011/05/android-toggle-stagefright.html
---
https://github.com/CyanogenMod/android_frameworks_av/commit/57db9b42418b434751f609ac7e5539367e9f01a6
"from (previous) git entry I would suspect meta data parsing errors.
so in /system/boot.prop (root required)
[code]
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
[/code]
However, one cannot be sure about this."
That's about as useful as saying that gangrene can be taken care of by any competent surgeon.
Sure it can. You know how many competent surgeons, exactly ?
The scale of this issue is such that EVERYONE needs a solution, not just the competent programmers.
If solutions were only made for competent programmers, the IT industry would have been dead in the water 20 years ago.
Since stagefright seems to be what android uses for hardware accelerated decoding I would imagine that the attack vector isn't that important. MMS is what makes it automatic since it appears to bypass any user interaction but I expect an attack could be done with email or facebook and most security unconscious folks would be happy to "Watch this video, it's sooo funny, LOL" if sent from someone they befriendified (if that's a word) online.
I would think it is technically possible to inspect and filter at the carrier level for this kind of thing, since this is processed through their systems(and not some random web page or email or something).
Maybe they don't have this capability, if not not a bad ability to have.