It’s time to hold manufacturers responsible for Android vulnerabilities
March 23, 2016
Shah Sheikh (1294 articles)

It’s time to hold manufacturers responsible for Android vulnerabilities

At this point, it’s irrefutable: The Android ecosystem, splintered across untold versions and locked into place by disparate and poorly planned third-party hardware, is making you less safe. This week, Israeli security firm NorthBit figured out a way (PDF) to use the long-known “Stagefright” vulnerability to attack literally hundreds of millions of phones. Called Metaphor, it could easily parallel an attack already devised by criminal hackers, who are always neck and neck with security researchers.

Anybody running a phone patched on or after October 1, 2015 should be safe — the problem is not that Google doesn’t know how to fix the vulnerability. Instead, the problem is that an astonishing number of devices simply cannot be updated and protected — some 275 million, according to NorthBit’s analysis. That’s better than the originally reported billion or so vulnerable devices, but seen in terms of the proportion of Android users using versions 2.2 through 4.0, 5.0, or 5.1, it’s still intimidating.

Exploits based on the Stagefright bug will remain dangerous for the foreseeable future, fixed for many more by the passage of time than the active efforts of technology companies.

To be fair, Metaphor is the first truly dangerous implementation of the Stagefright vulnerability we know of — and it’s fairly elaborate. It actually works by doing a sort of hacker recon before actually attacking. The problem begins when a malicious MPEG4 video deliberately crashes Android’s video server and receives a hardware error report as reward. Next, repeat the progress with another crash-bound video, get more info — andthen attack. The researchers say the exploit doesn’t lend itself to a single, monolithic attack against all handsets and must be tailored to each one, so the obvious solution was to make an exploit that could automatically tailor itself to each target.

stagefrightOn vulnerable devices, this approach can get the attackers past the phone’s defenses in about 20 seconds. Since it works mostly via metadata, it doesn’t even necessarily require any activation by the user. Simply loading a booby trapped page can be enough to allow access. Worse, Metaphor’s method of attack is also the first to bring Android 5.0 and 5.1 into the Stagefright danger zone.

This is an existential problem for Android, and for Google in general: Whether it’s a mobile OS or a self-driving car, the Google argument has always been that a world full of interconnected hardware and software developers will always beat out a single, monolithic company with total control. In certain ways, they’ve been proven right; Apple can’t provide the breadth, variety, or low-cost options of the Android ecosystem. But how long can these advantages of the Android model continue to offset the increasingly apparent disadvantages in the minds of consumers?

androidIn the end, the responsibility lies at least as much with device manufacturers as with Google’s core Android developers. Google has lobbied companies like Samsung to be more vigilant about pushing, at least, pure security updates to their phones, with only limited success. In many cases, Android users looking to be as safe as possible end up being forced to “root” their phones for developer access — often ending the term of their warranty.

This state of affairs will continue until the user base takes greater notice of mobile security. Right now, the people most knowledgeable about issues are those most likely to have new, fully updated phones. The people most likely to be hurt by the feet-dragging of certain hardware companies are also those least likely to know it — and thus the least likely to punish their device maker by going elsewhere next time.

Source | ExtremeTech