Tightwads
$1,337, what a reward (apart from leet) for a bug that can affect a billion phones. What a bunch of tightwads!
Android smartphones can be secretly infected by malware smuggled in via video text messages, allowing criminals to sneak inside as many as 950 million devices. You just need to know a victim's cellphone number to silently inject malicious software in their vulnerable gizmo. Once infected, your mobe's camera and mic can be used …
Let me see, a vector that is present on every single Android phone in the market, cannot be stopped and can barely be contained, with the end game being complete control of all data on the phone for a billion potential users ?
I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.
I'd say one million US dollars would not be much compared to the cost of the PR disaster if this weakness had been discovered by malware users and exploited.
PR disaster to whom? Goggle have a nice fix all ready, the blame for any infections will be firmly placed at the door of Vodafone/EE/SFR/Sprint/etc. who never ship upgrades after the first year or so. Agreed $1337 isn't much, but $1m is way over the top. Maybe $10K and a new Nexus phone?
Looking at the exploit market (there's a nice article on Bruce Schneier's blog today) it would be in the hundred of thousands of dollars at a guess. A exclusive 0-day for the desktop is about $100-$150k. A generic unpatchable flaw for a billion phones - well perhaps $1 million isn't too fanciful after all.
Hopefully Microsoft will release a Windows Mobile installer for Android handsets via their work with Cyanogen, then at least there will be a more secure OS update option.
(From existing dual boot testing on the same hardware, we already know WM is faster and the battery lasts longer too.)
Article at NPR suggests the immediate removal of Google Hangouts:
http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text
"The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery... this setup invites the malware right in. If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says."
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:
media.stagefright.enable-player=false
(Root is required to modify build.prop)
Wiping the MMSC,MMS proxy & MMS port APN fields *might* help, should stop it fetching any MMS body. No guarantees though and I'd bet on there being plenty of other ways to trigger stagefright badness.
There's simply no excuse for carriers and device manufactures not being able to quickly push a dll update and nailing this. Wont happen without heavy handed regulation - or at least the threat of huge fines.
On some networks you can't received MMS without first sending one, a large number of users might quite accidentally be protected because only hackers are likely to voluntarily use MMS today. That's aiming their SMS use didn't trigger conversion of long texts to MMS though.
Right:- I have turned off MMS upload (never used the system anyway)
- I don't use hangouts
- I never installed Viber.
- Media playack by VLC
What else?
Why are you assuming that VLC... Is any safer then say Kodi?! Do you even know what Stagefright does?! Or would you just be assuming that its only something that gets installed along with Kodi?!
FYI -- Stagefright is the Hardware Acceleration CODECs needed by your Device in order to playback pretty much every Media File you have, and unless I'm missing my guess here... This shall also include such mundane things like *.mp3's.
So someone shall have to explain this one to my why VLC should be any safer then the next Player?!
I wonder how hard this would be to block at the MMSC end? Although we all know how much networks like to get off their arse and do something useful... They love acting as dumb pipes, but only when it suits them!
Oh well, given I haven't received an MMS in over a year, I just mangled the details in the APN... That should keep things safe... At least until an update arrives, which I expect won't be long on my Nexus.
I fear for the security of OEM devices though.
Later Slashdot commentary suggests disabling several more stagefright booleans in build.prop; I have only left the recording entry enabled, and even that may be a mistake. I am running Alliance on exynos; stock may have more concerns. I've survived several reboots with stage fright lobotomized.
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:media.stagefright.enable-player=false
(Root is required to modify build.prop)
Great so I managed to kill off stagefright.... How the Hell do I use my seemingly legit Kodi Install (Google Playstore), to watch stuff on my Phablet now?! Speaking about Kodi I guess it would be an even higher infection vector, in the sense, that its raison d'etre IS to play Movies (i.e. Clips)... Not above the board. (i.e From unknown sources). While there hasn't been much said about it. I don't think this is the first instance of a Video managing to pw0n some System. (Thinking of Windows here),.
But, Kodi (Formerly known as XBMC), or in some cases SPMC. Damned well nearly relay on stagefright to work. Assuming you wanted your Movies to actually work.
'Cause VLC would as likely as not also rely on the Stagefright CODECs to Videos to actually work.... Since its actually part of the Android -- Linux System, and would NOT otherwise be included with Kodi, or VLC... It's hardly like we could expect them to fix it for us. I'd imagine a Patch in-and-of-itself wouldn't take the World to fix.... But, getting that Patch out to everyone who'd needs it, is. Google need to have a re-think about how to bypass the OEM's to allow those who need to get Security Patches, to then actually get them... FAST!
Then again... With no credible third Mobile OS out there, they still have time.... I suppose. And NO WinPho... Is in my book anything BUT, credible.... As bad as Android might be.... I'd still would have it over WinPho every time. This just makes me wish that the Ubuntu Phone was a bit closer to reality now though.
That workaround might block one attack vector, but note the vulnerability is in Stagefright - Android's media playback engine. Hence I wonder whether the attack merely needs to get the user to run a suitability crafted video using a viewer that uses Stagefright. The use of MMS is obviously concerning because of the various under the hood (ie. not visible to user and out of user's control) actions that can be automatically triggered via MMS.
Anonymous commenter at Slashdot suggests modifying the following entry in /system/build.prop:
media.stagefright.enable-player=false
(Root is required to modify build.prop)
Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.
media.stagefright.enable-player=false
Do NOT do this until further research is done. Users on XDA are reporting that disabling Stagefright in this way can result in an unrecoverable boot loop.
Can you post a link to this discussion? I have already disabled several stagefright booleans in my build.prop and rebooted without issue.
I have found these two references on boot-loop problems disabling the stagefright booleans in build.prop:
http://forum.xda-developers.com/showpost.php?p=62069940&postcount=8
http://forum.xda-developers.com/showpost.php?p=62073754&postcount=18
The user in the final post did not preserve ownership/permissions on the build.prop file. His boot-loop had nothing directly to do with disabling stagefright.
I used the busybox vi editor with an external keyboard to change my build.prop, obviating this issue.
I have seen no clear evidence that disabling stagefright will harm the Android OS if done correctly and with care (YMMV).
Here are additional resources:
http://fkwon.blogspot.com/2011/05/android-toggle-stagefright.html
---
https://github.com/CyanogenMod/android_frameworks_av/commit/57db9b42418b434751f609ac7e5539367e9f01a6
"from (previous) git entry I would suspect meta data parsing errors.
so in /system/boot.prop (root required)
[code]
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
[/code]
However, one cannot be sure about this."
That's about as useful as saying that gangrene can be taken care of by any competent surgeon.
Sure it can. You know how many competent surgeons, exactly ?
The scale of this issue is such that EVERYONE needs a solution, not just the competent programmers.
If solutions were only made for competent programmers, the IT industry would have been dead in the water 20 years ago.
Since stagefright seems to be what android uses for hardware accelerated decoding I would imagine that the attack vector isn't that important. MMS is what makes it automatic since it appears to bypass any user interaction but I expect an attack could be done with email or facebook and most security unconscious folks would be happy to "Watch this video, it's sooo funny, LOL" if sent from someone they befriendified (if that's a word) online.
I would think it is technically possible to inspect and filter at the carrier level for this kind of thing, since this is processed through their systems(and not some random web page or email or something).
Maybe they don't have this capability, if not not a bad ability to have.
Nonsense.
In the UK, telco's filter over-the-air content all the time (and are in fact required to do so). You can request that they turn the filter off, but you have no legal comeback if they filter something you want.
It's just false to assert that an ISP would somehow become liable for anything if they blocked malicious MMS traffic. Particularly since this is exactly analogous to efforts to block what used to be called "phone phreaking": techniques to misuse telco systems to achieve nefarious ends.
OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.
Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.
OK Google, you've got 90 days.
The MMSC of any mobile network usually incudes a virus scanner for the attached media.
Unless the Mobile Operator has negelected this feature the MMS service will prevent the spread of any such "Stagefright" exploits.
Note: This came to light from a research lab not from real-world evidence of exploits. Remember the Apple icloud hack?
Damn! See this is why the very idea of locked down/DRMed devices is bad[1][2].
When something critical like this happens many users cannot simply apply a patch to fix it, they are stuck with a device that is exposed and the only way to resolve it is to hope the manufacture releases a patch.
Sure, you could install a custom rom to fix this, but this may not always be available for all android phones, for example, my android phone does not have this option.
Thus, I now need to buy a new phone[3][4] :-/
[1] I know android its self is indeed open source, but many (most?) mobile phone manufactures put various locks in place to prevent easy user modifying of the installed firmware.
[2] I am an open source, anti-drm supporting nut job.
[3] Typical, I just got my phone set up the way I like it.
[4] More money spent.. so much for saving up for that 1967 Shelby Fastback Mustang..
I'm a great big fat android fanboy - but I'm this is why Android is bad.
Apple (for better or worse) to seem to support their hardware: https://en.wikipedia.org/wiki/List_of_iOS_devices#Highest_version_of_iOS_supported
Or at least if you're a 4S or beyond owner, they seem to have you covered.
With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.
Still, not quite as bad as it seems for Android - Google with "play services" seem to have been incrementally pulling more updates under their control, but it's still a bit half-arsed.
Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist.
There's less variance in phone hardware than there is on your average PC - buggered if I can't think of a reason you can't roll a "Google Play Installer" that checks components, and installs the relevant drivers.
Has anybody actually bought an Android phone, due to the OS modifications in the last few years?
"Bit that always bemuses me though, is why they don't just embrace the Windows PC model (or probably more accurately the Windows PC laptop model) - with a Linux twist."
It's the chipset manufacturers that are blocking that plan. Many of them design SoCs and specialized chips as highly-competitive black boxes (because they don't want to Give Information to the Enemy). Unlike in the PC world where most stuff was based on discrete standards, a lot of ARM-based hardware relies on proprietary arrangements covered in trade secrets and NDAs. Some manufacturers are more forthcoming, others aren't (some like Allwinner even violate the GPL it seems but don't care because they have connections).
Or you root it and stick on a custom rom and update it until you find the phone isn't powerful enough for your needs, I think that is the main beauty of Android, you have options. With Apple you're stuck, once they stop bringing out new updates for it, you're stuck with whatever version they decide you should have, so upgrade your phone.
Naturally I'm with Windows Phone, security by obscurity, best method, honest guv'nor.
Although you do need someone technically competent or a technically competent team compiling the custom ROM for your phone, not a primadonna compiling an unofficial version of CM which lasts about an hour between reboots and ignoring all the bug reports. Not the best criteria for buying expensive hardware.
With them you're getting updates for a 4 year old device, but in world of premium android you seem to get a "gentleman's agreement" on 2 years, and then you're on your own.
That's the legal requirement in the EU. Some of this stuff simply needs challenging in the courts.
Things are often complicated by carriers running their own shit on top of the manufacturers' shit making which makes development and test take a lot longer. But some court rulings could really help in establishing the various degrees of liability.
Apple's support is great as far as it goes. Anecdotally, however, I've been told that after about 3 years performance on the latest IOS seems to be so poor that new hardware is best solution. And app devs on IOS seem to march in lockstep with the IOS versions, meaning that OS upgrades are often required if you want to use the latest version of an app.
There's less variance in phone hardware than there is on your average PC
That simply isn't true. The lack of an ISA (industry standard architecture) has led to a raft of proprietary SoC's that all do things differently.
Something of a delicate situation here. It's hard to force a manufacturer to support something that's about two generations old. The only reason vehicles have stricter standards is because lives are on the line (a defect that causes a fatal accident = wrongful death suits). Worse comes to worse, they could just drop out and leave everyone hanging. Then there are the carriers who insist on their customization or the phones don't get sold in their stores, period. No phone apart from iPhones has enough direct consumer draw to dictate terms to carriers.
I wondering what legal remedies might be available. Since you bought the phone with a tacit understanding that it would be functional for some period of time, and this vulnerability could compromise your financial information, if nothing else (certainly your personal information), failure to correct it might leave manufacturers/carriers liable. But, of course, IANAL. Any IAAL's want to chime in?
Legal remedies available: none.
The thing you bought is as functional now as it was when you bought it
Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties.
Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.
"Then, as now, it was vulnerable to some number of attacks, and if those attacks compromise your financial information, then that is a criminal act on the part of the attacker. Your agreement/contract/tacit understanding with the vendor in no way includes liability on the vendor for criminal acts of third parties."
On the other hand, it might be argued that it is a fault which was in place at the time of manufacture or purchase.
OK, let's argue that. If the vendor had no knowledge of the defect at the time, how do you draw a line between "bugs" and "features"? Remember, while we're talking about something that I suspect most people would agree is a bug, how do you draw a bright line between defects that require fixing, and defects that are of the "it just doesn't work the way I think it should" variety? Some may be easy to categorize, but others...?
And what constitutes an acceptable fix? Could a vendor (e.g.) provide a patch that simply turned off this Stagefright feature? Because it could be argued that nowhere did they explicitly state the expected behavior; rather "you" assumed that it should behave in a given way.
It's tempting to want consequential liability and warranted functionality, but to be honest we've (all) been buying software for decades without it, so you'd have a really tough time trying to insist on it now on a commodity item like a phone.
>Your theory is as daft as asserting that the people who made your wallet are liable if you get mugged and the mugger steals the cash out of it.
Not really.
There is an inherent defect in the product. I don't think anyone would suggest that the bug is included under the banner of "works as expected."
The main issue is the complicity in customers accepting two years as an acceptable life span. I'd be pretty upset if HP gave me a two year life for a laptop, server or switch and expected me to buy new hardware because they couldn't be bothered to work with MS and the Linux chaps to make sure their kit kept working. Apple's billions seem to be leading the phone industry into an entitlement to profits mentality.
Is it time to pull the plug on proprietary phones? I know everyone wants to be Apple-successful, but most companies are not Apple, probably couldn't be Apple even if given the chance, and their customers are reasonably ok with that. We need a base-Android OS on top of which applications are added. The whole point software layering is so we don't have to worry about the lower layers. We don't seem to have that any more with everyone (Apple, Google, MS, Samsung) wanting to own the entire stack - the OS and all the apps.
Perhaps Google need to man-up and provide leadership. They need to tell licensees to get their act together and support customised versions of Android for longer or stop shipping them. They should ship stock Android and add custom applications on top.
Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.
And your example is simply inaccurate. The hardware (from HP or otherwise) doesn't stop working the way it always has, it just becomes vulnerable to recently discovered issues. After a 1 year warranty (or whatever), why should you get free updates simply because you want them? Sure, many companies do provide them, for whatever reason, but the issue is whether you have a right to such updates for no other reason than your opinion that the thing you bought should have a lifetime of whatever you think it should be!
And the example cited here of Apple being good at this is simply laughable: Apple patches things when they want to, and they have a long track record of being slow to roll patches out. They were also very late to OTA updates, and so on. I have a pal who is still chugging along on his old PowerPC Mac running the software it ran back in 2004. From his standpoint, until it dies, it does exactly the same job it did when he bought it, and any change would cost him time and money, and the fact that you or I might have a reason to change doesn't mean that he would agree with either of us!
Look, you want a service contract, go buy a service contract. Otherwise, how on earth can you demand that a product you bought yesterday be guaranteed to be upgradeable to a product released tomorrow? It's just preposterous.
Hows this different from recalling a car that has software vulns then?
Five years? Why not fifty? Or a hundred?
Seriously.
What you're actually asking for is something like a service contract where, as long as pay the premiums, they undertake to fix any flaws. But I'll bet the take-up ratio of that sort of model would be very low, because the consumer wants a cheap gadget, and the fact that you want the vendors to be liable for some indeterminate amount of work for however long you want them to be liable will have a predictable effect on the price (hint: upwards). So does the average punter want to pay for what you want them to have, or what they are OK with getting?
Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.
Five years is excessive. I'm not sure if the length of the warranty is really the problem. As you point out there are a lot of parties involved in any rollout. The law should be used to streamline the distribution of security patches. The threat of legal action backed up with stiff penalties can work wonders.
This might be good in getting the carriers out of the mix, to which they add so little. Manufacturers might also be forced to pool resources for development or otherwise face a levy to a statutory body.
Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware. It's not really that different to phasing out things like analogue mobile phones. Carriers should be able to enforce this.
Just some ideas.
"Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware."
And then you'll be playing right into the paranoid's hand since they figure old hardware is the only way to prevent Big Brother from watching you.
"Five years is excessive."
Really? I don't think it's excessive. All items bought in the EU are covered by a default two year warranty buut consumer law includes free parts and labour repairs (or is it just free parts?) for, in some cases, many years after that warranty expires. I think the term they use is "reasonable life" or something similar. The Uk Govt. has a website somewhere with a non-exhaustive list of examples, eg a TV or a fridge should offer at least five years of life, the manufacturer being responsible for repairs or a pro-rata refund if it's not repairable.
I'd certainly expect a phone to still be usable after five years without it being "unsafe" to use and for for fixes to the OS to be available.
Don't kid yourself -- the only reason vehicles have stricter standards is they're REQUIRED BY LAW to have stricter standards. Car companies would rather take the risk of lawsuits; they only do recalls on older models when forced to by the government. But things like mandatory recalls and lemon laws exist mostly because a car represents a significant investment in a way a phone doesn't, and so people pushed for those protections. Phones are considered disposable. Some, like Samsung's Galaxy offerings, arrive with so much crapware that after a couple years they can't even install app updates anymore.
Let me rephraise that.
Microsoft, PLEASE SAVE US FROM GOOGLE! Those people have no idea what they are doing, and we are tired of reinventing the Windows-95 era update.
PLEASE PLEASE PLEASE fork Android into something that can be patched! We will be yours forever, and rue the day we cast aspiring glances elsewhere.
Google, I do hope that you are listening. What comes next for you is neither what you expect nor want.
It is, however, what you deserve.
Half the time is abandoned by the manufacturer. I don't think anyone should buy a phone that isn't a Nexus variant if you want a good experience with android. Cyanogen and all that bollocks can sod off as well, half the time they seem like they are about to fragment. Its a die hard few, or people with abandoned phones that turn to it.
How many average Android users would know how to do that?
so they carry on as before using their device blissfully ignorant of the disaster about to happen when they open a vid sent from a friend.
As has been said, this is the problem with Android. Makers stop updating devices as soon as they can get away with it. My old HTC device got ONE update. That was it. All support was pulled 6 months after first sale.
That was one of the reasons I ditched smartphones alltogether and went back to a dumb Nokia.
So we have some headlining with 10⁹ phones, revised to 0.95 x 10⁹. Is this indeed the number of devices corresponding to "any phones running Android older than 4.1"? If so, how many of those are still in active use and how many are toxic wastevalued recyclable material?
I'm on Cyanogenmod 12.1 Nightlies on my Oneplus, and it was "supposedly" patched some time last week or so. I have been updating on Fridays. Also by running TK Gapps, I can minimize the Google bloatware to just what I want installed - no Hangouts, no Books, Movies, blah blah blah. See https://plus.google.com/+CyanogenMod/posts
Maybe it doesn't happen this time, depends on how easy this bug is to find. At any rate there are surely plenty of other bugs lurking in Android that can be remotely triggered in a similar manner. Find one and have it text a random assortment of the infected phone's contacts, and it would spread across the world in a matter of hours. What is done with a billion phone botnet, who knows, but it probably won't be good.
You don't even need Android's famously crappy updating for this. It would spread so fast that if you found a zero day that infected iOS 7 & 8 in a similar manner you'd own 95% of all iPhones in the world even if Apple turned around a patch in 24 hours.
Someday we're going to wake up and know what the Morris Worm would have been like if it had infected five orders of magnitude more devices.
Microsoft ought to immediately start a black project researching for bugs like this in both Android and iOS. Brick a billion phones and a lot of people won't buy the same kind they had before - this may be Microsoft's only hope to get any market share in the mobile market :)
What we need is a simple system without the attack surface of some hugely overcomplex pseudo object orientated system. Essentially something close to what the "suckless" people make, a simple way to switch between virtual framebuffer terminals. A system designed not by some clueless user experience designer, but by someone who actually uses it.
There are billions of mobile phones out there, surely there's a market for phones which don't cater to the lowest intellectual denominator. Let's build mobile devices for people who don't need an app to tell them when to drink.
Guess the folks that own older (ie non updateable) 'Droid phones are SOL then.
It does raise a point though, if a serious vuln is found for an older device which a lot of people still use because it has superior functionality to say a Crackberry then should the manufacturers be required to provide a fix?
I recall reading that some older Iphones can still be sent back to Apple for a battery replacement, maybe its time to have a similar system for software vulns?
It's referring to the Multimedia Messaage System (MMS), which uses the Simple Message System (SMS) as a conduit to enable phone users to pass multimedia attachments around. Think of it like a form of e-mail attachment. The text is sent that contains information for the phone to know where to connect to download the actual file.
Where the problem lies is that Android, like many other smartphones, tries to go one step ahead of you so you don't get frustrated in waiting. They pick up the attachment ahead of time after it receives the text, sets it up for you to see, and THAT'S where the exploit lies.
Apology for the use of bad language, nothing, except being cynical, can word this well.
$1000,- for someone detecting a fatal flaw on a billion phones ?, selling phones full with crap apps but no root access to remove the stuff ?... no updates for 2 year old phones in the $500,- range ?...
I hope the lawsuits against Google will make the ones against Big Tobacco look like child play, unless they give us root or updates. It is my phone, not googles so give me root.. like today !
My god what a sad post....
Google dont sale many phones and certainly not a billion of them, manufacturers such as Samsung sale them.
Google have already according to the story provided those patches etc to them as if you don't get it ask your phone maker why not , not Google.
As to root access etc, Google phones ie Nexus phones have root access very easily so you can do what you want with it.
As to 2 year old phone updates, again ask Samsung etc not Google.......
Your post is spot on when it comes to the facts, and mine is indeed incorrect.
But being factual correct was not the point of it. It is just weird that someone starts making a smart phone OS, manages to get 85% global market share because it is good enough and given away for "free", but then nobody is responsible for updates.
The point was also not to to go into "you can install a custom ROM" we all know that, but 95% of the users won't bother, they just sit on an insecure product.
In 2008 the first Android phone was released, we are now 7 years further, google did nothing to solve this, knowing how dangerous it all is from a security point of view to do nothing. When this type of issue surfaces in 2015, google is clearly to blame for its lethargy towards the phone manufacturers in enforcing updates.
I guess the government has to step in to tell this bunch of toddlers that updates are obligatory for at least 3 years, EU warranty period for electronic devices.
For years IT people have been dealing with PC security but at least felt they could take some steps to reduce the risk, filtering at the firewall, chose antivirus and antimalware, install local policies, decide (to some extent) what software was installed.
Then came phones, at first they were simple devices that didn't do too much, now they are multiprocessor, gigs of ram, computers in your pocket, but most that "control" stuff has been stripped away and people even get offended if you dare to infer that facebook, messaging or a million cool apps are anything other than business critical. BOYD has fucked up a lot of business security, seriously someone needs to stand up and properly weigh the value of handing over critical data to companies that are more interested in harvesting your information and contacts than protecting your livelihood.
I don't just mean Google, most of them are at it and the BYOD moniker is just a smoke screen for data rape.
This is why people should opt to buy only pure android phones. I had an HTC once and I hated that I could not get rid of cr*p software without rooting the phone. Since then only Nexus or pure Android phones. If more people do this then the manufacturers will have no option but to give in to demand.
Something else that's probably a one module patch that Android can't do because its update mechanism is shit and requires all of the manufactures and carriers to be complicit in making compete and full updates of everything just to perform this one small change - and most just aren't interested (old model = no profit).
Well all this advice doesn't help ease my mind.
I received a MMS on Saturday. It claimed to be from Vodafone (it had a 4 digit short code) but I deleted it. I remember the 'pay £1.50 to view a video' scams a few years back and though it was one of those.
Have these evil-packed MMS been seen in the wild or are they still in the labs?
Edit: I'd blocked the phone number. It was 9774. Appears to be a number Vodafone use.
Anyone else had marketing MMS from Vodafone recently?
It's quite a complex issue this that I think requires legislation.
If I buy a phone I think it reasonable to get told how long my device is going to be supported and that any issues such as this that arise will be fixed. Therefore I can make an informed choice as to whether I'm going to buy the phone. This is already the case with TV's Washing Machines cars etc... and their warranty. It would be interesting to know whether the software is covered in those warranties as has been stated previously if the device is working within it's parameters then it technically isn't faulty, it may be wide open to abuse but until someone exploits it then there isn't a fault.
Ok, so all the google bloatware shite like Hangouts got disabled about a millisecond after I got the phone.
I'm running Lillipop
How does the worm get into the MMS message? Does it need to be deliberately planted or can it latch on to any pic in your phone?
If deliberate then as I would only open MMS messages from trusted sources I should be ok?
Haven't looked into the details but presumably one would "exploit the exploit" with a specially crafted image containing some code.
If (huge if) this is already in the wild it's not impossible that it sends itself to contact lists etc so "trusted sources" (e.g. family/friends) becomes a meaningless term.
This, and the next gazillion exploits, are the result of this simple recipe:
1) Take a human - any one will do. They all screw up.
2) Take a language. They all have their flaws, but pick one that doesn't seem to give a damn what you do with memory, like C++.
3) Blend and wait.
It's the 21st century now, and, as someone who was coding C++ when there wasn't even a compiler for it I just wonder why it and other languages with similar flaws still being used so much? Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid.
Can we stop now?
(I will not suggest another language. I've learned about 5 in the last year alone and I'm exhausted. Please agree amongst yourselves and I'll learn that one!)
"Sure, there may be a small percentage of situations where the bare-metal speed is worth it, but when you're writing software that will be deployed on a significant proportion of the devices in existence, using languages that make things hard to test and that so brilliantly hide the mistakes of us fallible humans seems positively stupid."
Except that ARM chips aren't exactly the most performance-friendly chips on the market. They're just cheap and easy on the power (a boon when on batteries). But customers STILL expect good performance out of their devices even down the road. Sluggish performance becomes an increasingly common complaint as a phone ages. Even my S4 shows some oddities now and then. And let's not start on the memory limitations and so on. Phones are closer to the embedded world than the PC world in terms of architecture, and embedded developers will tell you a thing or two about delivering performance while under constraints. If you've got a highly-competitive market where the customers demand everything yesterday and doing nothing may not be an option, what do you do?
My arm-powered phone has 4 cores. A single one of them is far faster than it needs to be. The excuse that we need to use a dangerous language in mass market devices doesn't exist anymore.
Most of Android is built in Java,not c++. I'm not advocating that language, but just pointing out that outright bare metal performance is less important than other concerns, e.g. Security.
I would rather trade in 10 or 30 percent in performance if that makes my phone significantly less prone to such exploits.
"Most of Android is built in Java,not c++."
Except performance-intensive stuff IS native-coded. And multimedia stuff tends to fall into that category: especially anything involving video. And even my S4 (also a quad at nearly 2GHz per along with a good mobile GPU chip) has difficulty doing 1080p H.264 video with subtitles (not starting with H.265). A 10% hit can mean the difference between a decent enough playback and one too herky-jerky to be satisfactory. And most consumers think opposite to you. "Screw security; I just wanna get stuff done!" Meaning you're outvoted.
Isn't this video processing? That's not something you'd want to do in anything other than as efficient a way as possible, particularly on a mobile device.
I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in. Yes, I know that smart coding and a sensible approach from the start can mitigate this but then this is another complication - https://msdn.microsoft.com/en-us/library/ms973837.aspx.
"I'm shuddering right now at the thought of a video decoder written in C# with regular pauses in playback when the garbage collector kicks in."
This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs.
The piece of software relating to this particular security nightmare wasn't even something that would be bothered by GC.
I don't use C# but they've got it right when they named the 'unsafe' declaration. Golang was written because Google realised it was stupid putting C++ in the hands of ordinary people and expect them not to end up with an exploit-ridden rat's nest.
We're not going to fix humans any time soon. So the tools should change. Stuff the bare-metal performance (at least for situations where security is important - i.e. most of the stuff people use from day to day for online banking, shopping, communicating etc.)
"This is the 21st century and we're talking about mobile devices right? Why don't you just use the hardware-implemented codecs on the hardware (via the SDKs)? I can play real time video on my phone's browser, or from within an app, without having to get my hands dirty writing c++ codecs."
Because time marches on. Codecs get improvements and eventually get replaced with entirely new ones. Hardware H.264 can have trouble when handling bleeding-edge video files that push the codec to its limits. And they're absolutely worthless for the new wave of H.265 video.
That's a bug with your phone or the cell tower you are connected to. I'm with AT&T and get MMS messages on my iPhone all the time, never had a problem like that except in a handful of times when I was at a football game or concert where the local cell towers were completely overloaded.
So Google could/should be able to issue a patch for Hangout to stop pre processing videos for now until manufactures pull their fingers out and issue a over the air update for android, an other messaging apps under it control. An other messaging app providers could provide the same fix fairly quickly as well, especially the big guys like Facebook and WhatsApp.
We will see how seriously the messaging apps themselves take this bug.
Eventually people should be able to see that such "flaws" really are undocumented features. The demand by the NSA that encrypted hardware and software without such flaws be illegal should be a hint that at least some flaws have not been accidents.
Unless of course peoples default setting is to believe companies and governments are genuinely honest and do not wish to misinform. In which case they will fix this, our data is safe and what a nice day it is again.