Are you afraid? Well, you should be.

by Volker Weber

Stagefright, the yet to be published Android weakness, will let baddies infect your device. It's already happening. And you have zero defense, if you rely on your vendor. Google has fixed the Nexus 6 and so has CyanogenMod. But none of the OEM has. Samsung, LG, Lenovo, Huawei, Asus, HTC, Sony, Motorola, Oppo, ZTE ... And BlackBerry?

This points to a much bigger problem. The Android market works by cranking out thousands of devices per year, most of them quickly abandoned. There is no way, no way, you could fix them all. Disaster will strike, if not this time, then later.

Feeling safe on your Windows Phone? Maybe you can, because nobody writes for Windows Phone when there is a bigger target. But if there is an exploit, how long do you think Microsoft needs to roll out an update?

Comments

On BB10 the Android SMS system isn't used, instead the stock BB10 app is loaded anytime for SMS/MMS interactions. You'd really have to go out of your way to force use of the Android SMS/MMS system in order for it to work - http://forums.crackberry.com/blackberry-10-os-f269/stagefright-problem-android-affect-blackberry-runtime-1031981/

David Guillaume, 2015-08-05

I'm afraid that is not the only attack vector. See my link from the top.

Volker Weber, 2015-08-05

Awhile back, Microsoft's Gabe Aul was a guest on twit's WindowsWeekly podcast, and he spilled that it takes them about a week to stage an upgrade for Windows Phone on their servers. Because they need to create a software image for each model and variant, and then distribute those images across their update servers.

There you have it. About a week, without development and testing - and without involving the carriers. (There are rumors that with Windows 10 they want to cut out the carriers from the upgrade process - I'm curious how that goes...)

Max Nierbauer, 2015-08-05

Microsoft has a track record of how it long it takes them once they "start rolling out". It's best counted in months.

Volker Weber, 2015-08-05

No, I don't think the BB10 Android emulator is affected. I've been trying to get it to trigger and have not been successful. The Android runtime is sandboxed, and the memory management facilities are NOT the same that Android itself uses. We have to wrap a lot of extra code around all of these functions due to "issues" with the Android permissions options (or lack thereof).
My tests seem to show that any attempt to force the overflow of allocated memory simply terminates the app in question. Which of course releases all the memory allocated to said app/sandbox.
I'm not saying that BB10 is not affected... I just haven't been able to affect it. All my attempts simply caused the runtime to abort without triggering anything.

Dragon Cotterill, 2015-08-05

Thanks, Dragon. That is VERY good to know. @all, Dragon works in the belly of the beast. ;-)

Volker Weber, 2015-08-05

Not only android that has nasty vulnerabilities. How long will Apple need to fix this one?
http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

John Keys, 2015-08-05

Every platform has issues, but the tell-tale here is how the issues are dealt with and fixed (or not).

The stagefright vulnerability is serious, widespread, and can be triggered remotely. All together should be of great concern.

We need folks to understand how the carriers and manufacturers are actively working to *screw* Android users by ignoring serious security issues if a phone is older than a year or two.
This is a big issue and Stagefright is an excellent proof case for how the Android security update process is BROKEN. As has been said, it seems the only way to fix security issues with Android is to buy a new phone every time a bad vulnerability hits. *THAT's* got to stop.

Craig Wiseman, 2015-08-05

Interesting recent article about this that explains the dilemma Android (and Windows) phone users have to deal with: http://motherboard.vice.com/read/goodbye-android

Amy Blumenfield, 2015-08-05

Exactly my point, Craig. I think we need one fire before people wake up.

John, look, a squirrel. ;-)

Volker Weber, 2015-08-05

I agree the Stagefright situation is unusually bad, and that Google has a huge problem with fragmentation of Android and enforcing upgrades has been discussed a lot over the past years (nice chart here: http://thenextweb.com/insider/2015/08/05/this-is-what-android-fragmentation-looks-like-in-2015/), but to implicitly assume that Apple will fix similar problems quickly just isn't true, in my opinion.

Apple have plenty of history of being slow to fix vulnerabilities in a timely manner in the past.

John Keys, 2015-08-05

John, the difference is quite easy to see, if you try.

Volker Weber, 2015-08-05

Dragon,

I am glad to hear that because I am planning to switch back from Android to Blackberry very soon. The question is Passport or Classic.

Richard Moy, 2015-08-05

For Windows, I really hope that the shift to windows 10 does make a difference. The codebase is widely the same, hence vulns but also fixes are. So this could make the difference.

Hubert Stettner, 2015-08-05

Richard, you cannot go from Android to Classic. The screen is too small. Passport.

Volker Weber, 2015-08-05

Volker, I presume you are referring to the size of the problem? Is there really much difference between 1 billion vulnerable android devices now and 1 billion vulnerable Win XP systems, which is roughly how may copies of XP are supposed to have been installed at the peak of its use, and which was continuously vulnerable to one threat or another?

Quite honestly (although I don't have an android phone) I wouldn't be too worried as an end user - the hackers have such a big pool of potential victims, that in both cases, the majority will not suffer serious consequences.

Sorry if I'm completely off beam, in that case I am obviously just having a bad hair day today.

John Keys, 2015-08-05

Recent breakdown of Android fragmentation: http://opensignal.com/reports/2015/08/android-fragmentation/

Amy Blumenfield, 2015-08-05

You are still looking elsewhere, John. The elephant is right in front of you. ;-)

Volker Weber, 2015-08-05

Open my eyes, please Volker. Put me out of my misery! Today I am thick...

John Keys, 2015-08-05

iOS has one master. Windows XP had one master. Android has more than a thousand.

Volker Weber, 2015-08-05

Actually, the Windows XP example is very apropos.

One OS maker, many hardware vendors who tend to want to tweak the OS on their hardware. Many masters, one Master.

What happens when a vendor like Samsung tries to treat Windows like they treat Android?

http://arstechnica.com/security/2015/06/samsung-promises-to-stop-disabling-windows-update/

Craig Wiseman, 2015-08-05

Nearly all the 1000 masters will have fixed the problem within the next few months - fortunately they like to sell their devices with the latest and greatest version of Android, which Google says is now fixed.

And unlike PCs, the majority of users replace their smartphone every two years because of the 2-year contract cycle practiced by many providers. So yes, it's a big problem now, but it will largely solve itself over the next two years. I don't know many people using a 2-year old smartphone - screens break, fashions change, contracts run out...

John Keys, 2015-08-05

*embarrased*
I will quietly put my 2.5 year old phone in my pocket and hope no one notices.

Craig Wiseman, 2015-08-05

Sorry Craig! :-)

John Keys, 2015-08-05

Why these discussions always turn into a platform pissing match, I have no idea. It’s not about that.

There has been oodles of press about Thunderstrike 2, and rightly so. Some of the attack vectors have been fixed, others are wide open. So that’s that. Nasty.

Now let’s move on to something that has had far, far less coverage: the Stagefright vulnerability. This can hit any Android device, likely will never be fixed on older devices, and its fix relies on various carriers picking up the code, incorporating it into their OS version and delivering it.

That is a nightmare situation, regardless of one’s platform affiliation. This has gone on since April, and even Google haven’t fully addressed it on the Nexus line yet (never mind the likes of Samsung, HTC, LG and co.)

Ben Poole, 2015-08-05

I bet nobody will care about. Why? The technicians will find a solution for them. Quietly. The execs find someone who catches the bullets and takes responsibility for this 'unpredictable event'. The masses mostly don't have the money to change their devices. Or the skill. Or both. Trained behavior will follow. Things that one can't change can be safely ignored.

Richard Kaufmann, 2015-08-05

Ben, I do know why. But I am not going into that direction.

Congrats. You seem to be one of the few capable of recognizing a nightmare situation when you see one.

Volker Weber, 2015-08-05

Why does it always become a pissing match? Because people invest emotionally in their technology (and music, and clothes, and (God knows) car) choices.

For many, it becomes more than a phone to make calls with or run apps, it becomes representative of the real *you*.

Why is the black Sonos better than the white or dual color one? No idea, but for some folks, the black one "goes to 11", just like the iPhone or Android "go to 11" for others.

Craig Wiseman, 2015-08-05

My nokia 3110 is fine thanks.

Although they can be slow, Apple on the desktop and device (and blackberry on device) front have the easiest path ahead.

Imagine millions of cheap android phones in a country and they get crashed out or disconnected in a strike. That could be a nightmare scenario.

Paul Mooney, 2015-08-05

Why are carriers an issue for Samsung et al. but not for Apple? Market Power? Or why do carriers have to be involved at all to roll out updates/patches?

Joachim Bode, 2015-08-05

Yes. Apple pushes iOS updates als they please. All others depend on carriers as a sales channel. Apple also sells through carriers, but the relationship is different.

Volker Weber, 2015-08-05

Nice one. Stagefright has the potential to brick millions of phones within a few hours.

However, I guess that carriers are currently busy implementing filters to prevent the attack.

Timo Stamm, 2015-08-06

"At the Black Hat security conference in Las Vegas on Wednesday, Adrian Ludwig, Google's lead engineer for Android Security, said the researcher who discovered the Stagefright bug exaggerated the threat it posed to real-world users. More than 90 percent of Android phones have a security measure known as address space layout randomization, which is designed to significantly lessen the damage attackers can do when exploiting vulnerabilities. He also said less than 0.15 percent of Android devices that install apps exclusively from the Google Play market have any kind of potentially harmful app installed."

(http://arstechnica.co.uk/security/2015/08/google-pushes-update-for-critical-android-bug-but-wont-say-if-its-fixed/)

John Keys, 2015-08-06

Move along. Nothing to see here. That's why we do monthly security updates on our own devices now.

Volker Weber, 2015-08-06

ASLR on Android does not provide the same level of security as on other OSes like Linux, due to a tweak to make process spawning more efficient on mobile devices with limited resources. Google chose to use a "Zygote" master process with an already completely initialized VM and common libs already in memory. If a new process is needed, the Zygote process is simply duplicated, but without actually running through the complete memory allocation procedure. This reduces overhead and allows for copy-on-write, but leads to the issue that only the base addresses of the processes in memory are different, but the memory layout is the same for all processes, so libs etc. can be found on the same relative positions in the process address space, which makes an attack easier.

Detailed explanation: http://wenke.gtisc.gatech.edu/papers/morula.pdf

Carsten Lührmann, 2015-08-06

On IOS the issue is though that older IOS versions (6.x, 7.x) are no longer updated and do not receive any updates. Thus e.g. an iphone 4 will not receive any updates including security fixes.

Adalbert Duda, 2015-08-06

Thanks, Carsten, interesting read.

Adalbert, yes, iPhone 4S, which came out four years ago, is the oldest supported version of iPhone. Still very much unrelated to Stagefright.

Volker Weber, 2015-08-06

HTC has fixed the issue for their Android devices (One, Nexus, Desire). Even the models "older than 24 months".

http://htcsource.com/2015/08/will-your-htc-phone-receive-a-patch-for-the-stagefright-vulnerability/

My HTC One was sucessfully updated last night.

Sven Hasselbach, 2015-09-04

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe