Android the "open source" OS. Samsung are amazing.
How to hijack MILLIONS of Samsung mobes with man-in-the-middle diddle
Samsung smartphones can be hijacked, infected with malware, and remotely controlled by malicious Wi-Fi hotspots in cafes, hotels, and so on, security researchers claim. According to the bods at NowSecure, millions of handsets have a remote-code execution vulnerability that is a software design flaw. One workaround is to avoid …
COMMENTS
-
-
-
Friday 19th June 2015 00:22 GMT Ian Joyner
It's easy - mobile devices are end-user devices. They should be locked down. Apple gets this right.
If you want to program to your hearts content, buy a general-purpose computer. That's what I do if I want to program at that level. I have programmed at that level and even lower:
http://www.textfiles.com/bitsavers/pdf/burroughs/B1700/MIL_MicroImplementationLang.pdf
I don't need to program a specific-purpose device for that thrill. The only people that want that level of control are malicious hackers.
-
-
Wednesday 17th June 2015 03:44 GMT psyvenrix
frame the issue
as an easy way to root a samsung android device. that would be more likely to make samsung patch it - 'people being insecure? who cares' vs 'people being able to strip our valued partners value add bundled apps? - HALT EVERYTHING UNTIL THIS IS FIXED!'.
Pity this is a race between malicious users and the owner to use this exploit, either for good or for evil.
-
-
-
-
Wednesday 17th June 2015 19:12 GMT Charles 9
Re: frame the issue
"Just block the domain on your home router?"
Doesn't make sense to block it on the home router. At least YOU have control over it (and if it's pwned, you're screwed anyway since they can poison the DNS lookups).
No, it's best to edit it on the device itself so it doesn't matter where it goes. Since local lookup takes precedence over DNS, editing the hosts file trumps poisoned DNS. Only a direct IP number can beat that, and blocking the update route catch-22's that.
-
-
-
Wednesday 17th June 2015 18:55 GMT Ken Hagan
Re: frame the issue
"Except they probably won't update the 4 or 5. They'll just declare those EOL an their users SOL unless they change over to the 6."
At least in the UK, I'm pretty sure you can't declare EOL for a device that you are still selling.
But, no, I don't expect them to update anything until a court rules (generally, I'm not picking on Samsung here) that a mobile phone *has* to get security updates for at least 5 years after it is finally withdrawn from sale because it isn't fit for purpose unless you can safely connect it to the network.
-
Wednesday 17th June 2015 19:15 GMT Charles 9
Re: frame the issue
"At least in the UK, I'm pretty sure you can't declare EOL for a device that you are still selling."
They'll just stop selling them, period. No longer a problem. And they'll argue that since they're no longer selling it, they can't be expected to continue defending them against essentially moving targets: caveat emptor.
-
-
-
-
Wednesday 17th June 2015 07:39 GMT Pascal Monett
Wait a minute
"The update process runs with system-level access. It unpacks the ZIP file without checking the paths of the files inside, and with full read-write permissions on the device's file system."
Um, is there a "malicious file" that uninstalls all the bloody crap that Samsung throws in on top of the stuff I need ?
Because if that's the case, tell me where to go and I'm there.
-
-
Thursday 18th June 2015 16:05 GMT Michael Wojcik
Re: The Fix
Out of curiosity (my phone isn't one of the ones mentioned, and doesn't appear to have Swiftkey), I tried adding that to /etc/hosts using Terminal - my phone's rooted - but the root filesystem is mounted read-only, so I couldn't change it directly using the shell.
Haven't bothered trying to remount the filesystem or anything like that. I haven't spent any time learning about Android hacking; one of those things I might get into if I ever have any spare time. (I have Terminal installed because a computing device without a command line makes Baby Jesus cry.)
-