Knock Knock
And so another back door becomes a front door.
Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of …
This post has been deleted by its author
@AC
Not sure I follow your logic. Seemed to be:
"The boffins only spent their time scrutinising what is BY FAR the market leader, ignoring all the others. Therefore we should all pretend that NSA's Redmond's obscure little offering is secure"
Did I get that about right?
A sort of obscurity is security argument?
Tit.
"It is unknown how Android versions above 4.3 are affected. Google has been contacted for comment."
I think it will go along with the lines:
"It's fixed in the latest version. We are not going to fix any phones prior to this version"
Granted it will be about 200 words longer, but that will be the general line.
"It's fixed in the latest version. We are not going to fix any phones prior to this version"
Granted it will be about 200 words longer, but that will be the general line.
I'd be very careful with that, this involves Ross Anderson. The almost immediate response could be "no it isn't, here is evidence". If Ross Anderson tells you you have a problem, you first best check exactly how deep you're in it with Ross before you make any public statements, the man has an almost pathological aversion to bullshit.
Which is why I like him.
Bullshi-- here, bullsh-- there, bullsh-- EVERYWHERE bullsh--! 'Ol McDonald had a Server Farm e-i-e-i-o....
And, this will get Google to change its mind, and suddenly go 'round digging in the Vaults to fix this? lol I don't believe it.... You know what I believe EVEN LESS?! Assuming for just One second your Guy actually WAS that good... And, Google actually wanted to do something to fix this... (They won't BTW!), But, in an otherwise 'finite Universe, had they actually wanted too... And, had fixed this.... The OEMs will have been to busy flogging their M9's, S6's, Nexus 6 etc... etc... to care.
This said, when I picked up a second hand Galaxy Tab a few years ago. It was literately filled with all kinds of nasty... If slightly arousing tings on it. Sadly before I thought to back any of it up I had performed a complete Device wipe, before installing what was CM9 at that time, on it.
I was under, the understanding that the last owner had enough sense to perform a Factory Reset, if only to protect his Accounts.
But, I really do NOT expect this is something that's ever gonna change ever!
*To clarify that last statement... When I said I had done a complete Device wipe... I was referring to the Format functions under Samsungs Odin Flasher, and not the One inside the 3e Recovery. Which on that note... Why the HELL doesn't Google buy up TWRP, and make that the mandatory recovery?!
It's especially pleasant to see him moving his work outside the financial sector again. Further reading:
https://www.lightbluetouchpaper.org/
I do hope he (his department?) has good lawyers.
Meanwhile, safety critical aircraft systems on your list, please sir, when you have a moment.
"It's fixed in the latest version. We are not going to fix any phones prior to this version"
But to be fair, is there much point in fixing it in the old versions? It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable).
The main way to get a security fix it to get the latest version installed, it's the same with pretty much every system we run outside of Windows and Linux (e.g. all our phone systems, copiers, embedded systems, switches, routers etc).
Unless a way is found to upgrade the core Android OS directly from Google without requiring the handset or carriers to get involved - which I can't ever see happening, then updating older versions is not effective. You just need to flash a custom rom with the latest version.
" so the manufacturers and carriers would need to do the update"
Ideally they should be legally required to under consumer protection legislation. For Google it'd be a reminder "don't be incompetent" when coding, and for the carriers it'd be a welcome headache that might eventually persuade them to stop the nonsense of custom skins and bloatware.
Outside of the warped reality space of the carrier's marketing departments, I don't believe a single person on Planet Earth wants their new phone to be soiled by the carrier's logo, or the memory they've paid for to be filled with unremoveable but often barely functional bloatware, but it is specifically these undesired features that seem to be a barrier to fixing this.
The obvious solution (short of rooting and SIM free purchase) is for the handset makers to offer their nearest-to-vanilla versions of Android directly to consumers. The carriers could still skin up the phones before sale if they're so desparate, but then they'd have to add some real value with that to keep it on people's phones.
"But to be fair, is there much point in fixing it in the old versions? It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable)."
That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years as part of their regular update process. It wasn't *ooh* *whimper* sooo *sniff* haaaaaard *sob* like it was for Google. It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable.
"That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years"
The Apple iPhone range is tiny compared to the range of Android hardware available. Whats possible for Apple on a small range of standardised is much harder when applied to the full Android range
"It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable."
Not a great comparison really, Apple only have one hardware platform, Android has 1000's
Also Apple don't allow anyone else to use their OS, so again, its easy for them,
Google could release an update for 4.3 but the carriers will not spend money on a re-compile and release anyway.
I have been banging on about this for yonks see posts passim. Even if the damn thing is sucessfully wiped it is easy enough to recover the data and just involves playing around with coercivity and drilling down.
The only person I ever me who understood this fully was an Irish builder. He said to me "I need a new hard drive" I said this one is fine. He then said "I need a new hard drive" at which point I understood and swapped the server drives.
In other news, Carl Icahn is urging Apple to do more with its money.
Personally, I'm OK with them not doing more - it means they're less subject to external pressures to go stupid.
It's a process....
If you factory reset your phone, then SIDELOAD one of the above apps (I have used iShredder) then the app can overwrite the freespace on the main partition. Then remove the app, or factory reset again.
That's what I did with my Nexus 4.
I also setup Google on my phone via a OTP, Facebook to use 2FA, and logged both devices out/revoked the OTPs when clearing down the phone.
Admittedly these are things the 'average' user won't do, so the secure wipe should be fixed, but there are things you can do without root to make yourself a bit more secure when handing on a device.
If you factory reset your phone, then SIDELOAD one of the above apps (I have used iShredder) then the app can overwrite the freespace on the main partition. Then remove the app, or factory reset again.
I'm kinda short on downvotes, so I'm going to suggest a quicker alternative: get an iPhone :)
But I haven't figured out how someone buying an iPhone will help them to scrub their googlephone.
By not having the problem in the first place. Later versions of iOS (v7 and later) did a damn good job of creating secure storage in the device and zapping it on delete by using very established and proven cryptographic principles and providing enough hardware support for it to actually be of value.
I think Google can fix this in newer versions of Android, but it will have to insist on some of that same hardware that's a default part of iPhones to make that secure. After that it's a matter of structure, if the OS can be made clearly independent of the telecomms provider and manufacturer by making that theme layers on top of the OS instead of deep changes inside, you end up with a structure you could actually maintain. However, I have the distinct impression that Google doesn't really want to have that in place, and given what they make money from, that doesn't surprise me in the least.
I can't really see Google choosing for the customer in the clear conflict of interest here...
Not sure how serious your statement was, but an OS using full disk encryption, like iOS or Windows with Bitlocker enabled, simply has to dispose of the key and any data written on the partition(s) protected by it is instantly and permanently inaccessible.
I would assume that while Google probably implemented this in Android, it wasn't the default because in order to support it across a wide range of hardware capabilities they couldn't sure that every device would possess hardware able to support FDE. Whatever Android version made or will make FDE a requirement is the minimum one you'd have to be on to be safe from this, because you can't trust OEMs to care about stuff like this.
When you delete all content and settings on an iOS device all it does is erase the encryption key - it doesn't actually erase anything. Good enough you might think, but with things as they are in the infosec business I'm sure there are some working on a way of getting around this.
There is no conceivable way around this. You either have to be able to perform an attack against the encrypted data, which is a problem for everyone using AES if there is such an attack, or you have to have possession of the device before the key is erased. There are methods to get the key off similar products such as Bitlocker, by booting the device into Linux and dumping the memory contents during early boot. You can't do that against iOS but with enough (read a LOT of) resources you probably could find a way to do something like that.
But the important thing to note here is that you'd have to have my phone BEFORE I wipe it. Once I wipe it, you can't get squat from it. The article is about weakness in Android's erasure - so everyone who did a factory reset before selling/giving away their old phone potentially gave away their data (to the 0.0001% of people who would care to try this against a random phone they bought second hand)
Not only that, but on devices with A7 and higher CPUs the encryption keys are held in a special memory block on the CPU die itself with no direct read/write access from outside of the chip. Also, for anything running IOS8+ (iPhone 4S+, iPad 2+) full-disk encryption is mandatory. It's there, and there's no way to disable it.
MS has committed to provide free updates for all major software for 10 years. The phone manufacturers haven't been allowing and/or pushing updates for phones past 1-2yrs, even in the rare instances the code has been updated. How is that equivalent to your mind?
Windows has committed.
Google has not. There's nowhere where you buy a phone where people say that they are going to be giving you free software updates. Apple doesnt, Google doesnt, Blackberry doesnt, heck, even Windows Phone doesnt.
Why the expectation for them to?
Computers are being used for longer, there are still people using windows 98 and windows XP. Just because their systems are vulnerable should they go screaming at the media? Even after the support window has expired?
Windows has committed
You mean Microsoft. Oh really? Nonsense, they haven't - none of them have. The only commitment you have from Microsoft is that they will SELL you a new version when they get bored with sending updates or it becomes too obvious it really cannot be rescued (Vista immediately comes to mind here, or the upgrade to TIFKAM).
Google doesn't care one way or the other or they would have modelled the platform in such a way that customisations are layered on top instead of affect core code so that updates and OEM custom layers would not get in each other's way. But Google doesn't care - it goes for volume, and you get to volume by being cheap.
Apple has a decent update frequency in iOS and OSX, but could do with a lot more transparency. The main gripe I see people have is that new updates don't work on old hardware, but if you didn't expect that from the only IT company that makes a good margin off hardware instead of a waferthin edge over costs you need your head examined.
To me, this article is similar to one that says, "File deletion fails in all versions of Windows and Linux because deleted data can still be recovered in 90% of cases." Yes, we knew that. It's because the file delete function was never *intended* to prevent data from being forensically recovered.
Similarly, unless the manual clearly states otherwise, I have always expected a "factory reset" operation to behave similarly to a "file delete" operation, in that it makes the phone *appear* to the normal user to be the same as when first sold, but I have never assumed that it did so by *wiping* any data, any more that a re-install of the OS will get rid of data you have on your laptop's HDD (which is surely analogous to a "factory reset").
In fact I would not even assume that data held on a user-supplied SD card will be deleted or made inaccessible, because that card was not a part of the system when it left the factory. (Though I would not assume that it will *not* be deleted either).
"It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable)."
Well, maybe, but I've had a few phones that due to the unusual radio files (Samsung Stratosphere for example had a Via -- yes Via, not Qualcomm... Via CDMA/EVDO/GSM chipset and Samsung LTE chipset, so if you evaded Samsung's lame firmware lockdown and put a newer kernel on, the radio files would absolutely not work with it. The Stratosphere II I have now has a more normal radio but a similar situation. It's pretty common to see on Cyanogenmod forums and the like that some devices will run a newer kernel, but with no radios. I doubt Samsung'll update either of these phones at all, but if so I'll be shocked if it gets anything other than a "x.x.(current +1)" update, or a vendor implemented patch.
"That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years as part of their regular update process. It wasn't *ooh* *whimper* sooo *sniff* haaaaaard *sob* like it was for Google. It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable."
Apple didn't backport full-disk encryption to older iOS versions, they made sure iOS was installable on somewhat older devices. Not the same thing at all. Also, Apple only ships a handful of models of phones. For vendors that follow Google's recommendations (i.e. not too many nasty hacks and binary blobs), if the vendor doesn't bother to release updates, CyanogenMod does. I really would prefer if all vendors at least made it so CM could release functional updates. If you do want to make sure to actually get updates, there are several lines of Android devices that do actually receive official updates for a guranteed length of time.
So whats the real problem here?
the stupid yuppie marketing model by which western rich gits treat new-spec phones as having a one-year use period before sending them on for resale / resuse else where.
Its not a fault with the phones - past experience with computers should be enough to show that anything is potentially recoverable given the right tools. The problem is with the mindset. Anyone with a brain who sends a PC on for resale or scrap shreds the drive - either physically or with a third party electronic tool such as DBAN. Why should a phone be treated any less differently? Especially when solid-state drives are a lot harder to nuke than a "real" hard drive.
The answer is......stop treating phones as disposable fripperies. Keep them and use them until they're knackered and then take the hammer and shredder to them. Get your moneys worth from them, then destroy them. DON'T sell them on
Given that for many people the phone has become the primary computing device, including banking and other financial type transactions, it's really a pretty serious problem that it can be nearly impossible to get the OS updated.
My guess is that sooner or later someone - Google, carrier, manufacturer, maybe all three - is going to get clobbered with a massive lawsuit alleging significant negligence in not providing timely and easy security updates.
I have seen this first hand on two used phones I purchased. I did not even have to use extensive methods to see the previous owner's content. I tried the factory reset a couple of times and the content remained. Same for my phone I was replacing. I used a custom recovery's wipe function and the content was no longer visible. I do not know if the content was actually removed or not.
I do know that some older Samsung Galaxy S2's will brick if the eMMC secure erase function is called due to another bug. Other models and makes of the generation may have the same bug.
Kinda funny, I recently read something about solid state storage can lose data over varying periods of non-powered state. I guess it's a matter of losing data when you want to keep it and data persisting when you want to lose it. Seems normal.
It's not hard. Just pretend you are a normal, rational human being and use the phone until it doesn't work anymore. At that point, it's worthless, throw it away. (Or destroy it in any manner you please if the data matters enough.) Along the way, you've saved enough by not buying unnecessary new dorky consumer tech-head gear every few months to treat yourself to a holiday at the destination of your choice.