Android vulnerability: billion devices affected

Ricardodaforce said:
Wrong forum.
Click to expand...
Possibly mr pseudo mod. As many people use them just every day without an interest in computers I decided to post it here for wider coverage. When an actual mod decides it is in the wrong place then I'm sure it will get moved.
 
Samsung already have patches out for things like the S5.

But are we really surprised mobile devices and OS's are now the target of the hackers as they now must be the majority used devices for accessign the internet.
 
Byker28i said:
Samsung already have patches out for things like the S5.

But are we really surprised mobile devices and OS's are now the target of the hackers as they now must be the majority used devices for accessign the internet.
Click to expand...
Excellent. That is very encouraging they actually go as far back as the S5. I think it highlights how important this issue is. I really hope carriers release it quickly to their customers.
 
Can you explain clearly to me

1. How a "bad guy" would get code that takes advantage of this exploit onto my phone?

2. What they can actually do once they have?

Without those 2 facts (and unless the answers are "easily" and "a lot") that article seems just a touch alarmist. Almost like an advert for the conference TBH.
 
A billion devices "potentially" affected.
The definition is rather important.
 
For those who want to know the technical details; the cve's are listed in the linked article. In accordance good white hat hacking practises the exploitation code hasn't been released yet. The article does list when this will happen, therefore providing various vendors sufficient time to fix the code on their devices and roll out updates before it goes wild and script kiddies will be able to exploit it.

For now it is likely just a limited group of knowledgeable people who can exploit it. With time this group will grow bigger.
 
JonathanRyan said:
Can you explain clearly to me

1. How a "bad guy" would get code that takes advantage of this exploit onto my phone?

2. What they can actually do once they have?

Without those 2 facts (and unless the answers are "easily" and "a lot") that article seems just a touch alarmist. Almost like an advert for the conference TBH.
Click to expand...
I expected more from you somehow, surely you don't require an explanation of what root access provides on a *nix based system.
 
dejongj said:
I expected more from you somehow, surely you don't require an explanation of what root access provides on a *nix based system.
Click to expand...

I know what root access is. I just don't know what it would allow me to do on a phone. I guess it might allow me to make calls but that doesn't seem very productive. Would it allow me access to credit card information or bank details? I can't honestly see how since these shouldn't be stored on a phone. I guess it could delete everything which would cause me maybe an hour's vexation while the cloud synced. It might allow somebody to post stuff to Facebook on my behalf but most people have already authorised a bunch of apps to do that anyway.

Root access sounds awfully scary. But in simple terms, what would it allow a hacker to do here?

And back to the first question - what's the access method? As far as I can see, a hacker would have to get a dodgy version into an app store (not impossible but somewhat tricky) and then I'd have to download it. Or is there another way? Can this be executed via a QR code?

I'm not saying it isn't an issue. I'm suggesting that "Hacker News" might want to wrap some facts around its alarmism. They might also want to tell us why they consider 400,000,000 devices immune from this (there are 1.4 billion Android devices in the world - if their figures are accurate then there's about a 30% chance any given device would be immune. I'd be interested why.)
 
JonathanRyan said:
I know what root access is. I just don't know what it would allow me to do on a phone. I guess it might allow me to make calls but that doesn't seem very productive. Would it allow me access to credit card information or bank details? I can't honestly see how since these shouldn't be stored on a phone. I guess it could delete everything which would cause me maybe an hour's vexation while the cloud synced. It might allow somebody to post stuff to Facebook on my behalf but most people have already authorised a bunch of apps to do that anyway.

Root access sounds awfully scary. But in simple terms, what would it allow a hacker to do here?

And back to the first question - what's the access method? As far as I can see, a hacker would have to get a dodgy version into an app store (not impossible but somewhat tricky) and then I'd have to download it. Or is there another way? Can this be executed via a QR code?

I'm not saying it isn't an issue. I'm suggesting that "Hacker News" might want to wrap some facts around its alarmism. They might also want to tell us why they consider 400,000,000 devices immune from this (there are 1.4 billion Android devices in the world - if their figures are accurate then there's about a 30% chance any given device would be immune. I'd be interested why.)
Click to expand...
From what I know of my limited android usage, you can download apps from sources other than the official app store. Those who have jailbroken their iPhones also run a similar risk
 
JonathanRyan said:
I know what root access is. I just don't know what it would allow me to do on a phone. I guess it might allow me to make calls but that doesn't seem very productive. Would it allow me access to credit card information or bank details? I can't honestly see how since these shouldn't be stored on a phone. I guess it could delete everything which would cause me maybe an hour's vexation while the cloud synced. It might allow somebody to post stuff to Facebook on my behalf but most people have already authorised a bunch of apps to do that anyway.

Root access sounds awfully scary. But in simple terms, what would it allow a hacker to do here?

And back to the first question - what's the access method? As far as I can see, a hacker would have to get a dodgy version into an app store (not impossible but somewhat tricky) and then I'd have to download it. Or is there another way? Can this be executed via a QR code?

I'm not saying it isn't an issue. I'm suggesting that "Hacker News" might want to wrap some facts around its alarmism. They might also want to tell us why they consider 400,000,000 devices immune from this (there are 1.4 billion Android devices in the world - if their figures are accurate then there's about a 30% chance any given device would be immune. I'd be interested why.)
Click to expand...
Hacker news has a certain target audience. Basically root access gives you acces to everything, can bypass anything, can reset passwords distribute contacts, emails, photos. Do whatever it likes.

In simple terms it provides God access. Not good.
 
Actually the biggest security risk is users with bluetooth enabled which isn't secure (or very secure). Quite funny at some of the conferences as the lecturer sits at the front tapping away on his laptop before the start of the conference, then starts displaying images taken from peoples phones in the audience.
 
dejongj said:
Hacker news has a certain target audience. Basically root access gives you acces to everything, can bypass anything, can reset passwords distribute contacts, emails, photos. Do whatever it likes.

In simple terms it provides God access. Not good.
Click to expand...

Yes. That's what root access is. And if somebody was actively logged into my phone as "root" and working their hardest to do stuff then it could be pretty bad. But actually they don't need root access to do most of what you list. For example, the BBC are "actively investigating" whether perfectly normal apps hijack the microphone in order to spy on you and target advertising (answer: probably - there are enough anecdotes on Reddit to make it look like it's more than synchronicity). And the permissions required by Facebook's suite of apps are just terrifying.

I'll bet that like most security scares this comes to nothing. But I hope their conference sells its tickets.
 
JonathanRyan said:
Yes. That's what root access is. And if somebody was actively logged into my phone as "root" and working their hardest to do stuff then it could be pretty bad. But actually they don't need root access to do most of what you list. For example, the BBC are "actively investigating" whether perfectly normal apps hijack the microphone in order to spy on you and target advertising (answer: probably - there are enough anecdotes on Reddit to make it look like it's more than synchronicity). And the permissions required by Facebook's suite of apps are just terrifying.

I'll bet that like most security scares this comes to nothing. But I hope their conference sells its tickets.
Click to expand...
Without root access normal apps can't hijack without you knowing and approving that access. Now I'm not daft, a lot of users give apps lots of access rights without even looking twice at the screen. The problem with root access is that it can do this without you knowing and install without you knowing it.
 
Byker28i said:
Actually the biggest security risk is users with bluetooth enabled which isn't secure (or very secure). Quite funny at some of the conferences as the lecturer sits at the front tapping away on his laptop before the start of the conference, then starts displaying images taken from peoples phones in the audience.
Click to expand...
Blue jacking is as old as since it came out on the phones. That is not a vulnerability though and sensible users don't have it wide open and don't just accept without confirmation. What would be a vulnerability is when they have switched that off and think they block it. Yet in the background it is allowed through. Root access does provide that capability, both going in and going out. Therefore a vulnerability that exposes that level of access is pretty serious.
 
dejongj said:
Without root access normal apps can't hijack without you knowing and approving that access.
Click to expand...

Have a look at the permissions required by some pretty innocuous apps. It doesn't help that Android doesn't offer a very fine granularity of permissions. For example there's a single "microphone" permission rather than only permitting it when the app has focus/doesn't have focus/phone is locked etc.
 
JonathanRyan said:
Have a look at the permissions required by some pretty innocuous apps. It doesn't help that Android doesn't offer a very fine granularity of permissions. For example there's a single "microphone" permission rather than only permitting it when the app has focus/doesn't have focus/phone is locked etc.
Click to expand...
I'm fully aware of it, and I refuse to install such applications. Yet I know many people who just hit the "yeah yeah yeah whatever" button as they call it. The problem is that is not a vulnerability and you are still aware of it. With a maliciously crafted application that is looking to make use of these vulnerabilities it can display a screen requesting access to basic elements not causing any concern. Yet in the background it is acting upon the exploit, gains root access, then download or executes with embedded and embedded malicious payload its desired attack factors, and you wouldn't even know it was doing it. Not only that, the only way to get rid of it is to refresh the phone with a clean rom. Naturally that should be a patched rom as if it isn't then with your google account it would download automatically that app again, and the whole process starts over again.

Quite beautiful in a perverted kind of way :)
 
So you basically use your phone for making phone calls then? My wife has one of the immune phones - it's a £5 Nokia from Asda. She charges it most weeks ;)
 
JonathanRyan said:
So you basically use your phone for making phone calls then? My wife has one of the immune phones - it's a £5 Nokia from Asda. She charges it most weeks ;)
Click to expand...
LOL Yes she'll be ok, unless she has bluetooth enabled :) I was hacking those way back in the days, especially as they are suspect to message spoofing (GSM SMS) that is.

But regarding myself, no I don't just use my phone for making phone calls. I use it for all sorts of activities. My iPhone is my daily driver and is pretty much ok. My Android phones are either Google Nexus, or other vanilla based systems (Cyanogen Mod) bought sim free such that I can patch/update them when required. But they they are work horses and serve a purpose. Partially for security checks, scanning and development; I've got depending on the project bluetooth, wifi scanners hanging off them, and if necessary a software defined radio to do other stuff. And the log files go to a syslog server for analysis.

The point is that many applications ask for privileges they really don't require, I do not install such applications when it doesn't make sense. There are many apps providers who are sensible about the required privileges. They get my business.
 
mrgubby said:
I've rooted every android phone I've ever had :)
Click to expand...
Operative word being "I". When you know what you are doing and if you are happy to leave it open for other apps to use that then that is your choice. Very different than a vulnerability which takes that level of access without you knowing.
 
El Reg reported this over a week ago, although it less excitable terms than thehackernews (unusual for me to drescribe them as "less excitable" :p ).

http://www.theregister.co.uk/2016/03/07/googles_monthly_security_update/

dejongj said:
For those who find the details interesting;

The source for common vulnerabilities and exposures on about anything, hot linked to one of the key issues;
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0819

And the Android security bulletin through which it was published;
http://source.android.com/security/bulletin/2016-03-01.html
Click to expand...

I was reading both (and CVE-2016-0805) earlier, to say they are woefully short on detail is a considerable understatement.
 
onomatopoeia said:
El Reg reported this over a week ago, although it less excitable terms than thehackernews (unusual for me to drescribe them as "less excitable" :p ).

http://www.theregister.co.uk/2016/03/07/googles_monthly_security_update/



I was reading both (and CVE-2016-0805) earlier, to say they are woefully short on detail is a considerable understatement.
Click to expand...
Which makes them more interesting considering their criticality level ;) and yes it was first reported back in October. However as you know it is not unusual to keep it quietish and give providers and manufacturers a chance to fix.
 
You must log in or register to reply here.
Back
Top