Zimperium Releases Stagefright Detection Tool and Vulnerability Demo Video 54
Mark Wilson writes: We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates. Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.
Re: (Score:1)
Finally, a first post that makes some sense.
Dice: FristPost/GNAA Detection Tool? (Score:1)
The mighty have fallen (Score:4, Insightful)
I really did not expect to see this.
Re: (Score:2)
I really did not expect to see this.
At least Goatse hasn't made an appearance. You *really* don't expect to see that.
Re: (Score:2)
It's not all that interesting. The severity of this vulnerability is low because since way back in the 2.0 days Android has had ASLR enabled by default in the kernel, which largely mitigates it.
Defensive security measures like ASLR do a lot to mitigate the severity of new exploits, which is why you don't see sudden mass infections the way you used to back in the XP days. Some people love to soil their pants every time some new "critical" exploit comes along, ranting like lunatics that Android/iOS/Windows is
Re: (Score:2)
the fall of Slashdot.
Yep. I started reading it this week after a year away and it's a shadow of its former self. Zero content.
A USEFUL article summary would have told you to go to the messaging options page on your phone and disable automatic MMS retrieval. That will protect you from the vulnerability.
Instead we have all this useless crap about updating the OS (if you even can!!) and how millions of Android devices are about to be rooted, etc.
Re: (Score:1)
Yet we keep coming back here.
Re: (Score:2)
I ran it (Score:3)
Well, on my Transformer Prime, anyway. The unlock tool doesn't work on it, so I have quite an uphill battle ahead of me upgrading it...
Re: (Score:2)
Google should provide a tool which would allow users to update their phones themselves instead for having to wait for the manufacturer to do something if those ba$tard$ are willing to do anything at all...
That is not in their power. The unlock and flash tools are held by the makers of the chipset and/or the makers of the devices. So for example the tegra flash tools come from nvidia but the actual unlock tools come from the vendor, in my case Asus... and Asus made a crap unlock tool that tries to verify that you're using it on an original untampered device. It doesn't work on all the bootloader versions they ever shipped, either. Anyone who got the JB OTA update has only a mediocre shot at it working. Anyone
Re: no support for me either ... (Score:1)
Can't they use Google Play Services to roll out a fix to the various files which make up Android? If not, shouldn't such a tool be part of the next fix they roll out? Is there some problem - security or other- to adding/changing/removing system files, assuming the operation/process is signed?
Re: (Score:2)
Can't they use Google Play Services to roll out a fix to the various files which make up Android?
In a word, no. The only reason Google can make so many updates by updating Google Play Services is that they have moved more and more of the core functionality into there. However, libstagefright is not part of that functionality, so they can't update it by updating Play.
For locked, unlockable devices, only the vendors realistically have the ability to produce a patch.
Re: (Score:1)
But why can't they update *everything* using it? If they can't, why can't they introduce such a feature? Microsoft can update everything on their patch-tuesdays updates. Why can't Google? Google knows how broken and hopeless the upgrade situation is with android. Fewer than 1% are on the latest version (5.1) and most are on a 2+ year old version. Can you imagine the response if Microsoft said only users of Windows 10 were going to get security fixes when everyone's on xp and 7?
Re: (Score:2)
You can install it from here: https://play.google.com/store/... [google.com]
Lookout's blog page has details about the app and how to make sure your messaging apps are safe from the exploit: https://blog.look [lookout.com]
Re: (Score:2)
This reveals whether a device is vulnerable, and indicates whether an OS update is needed.
Of course you're never going to get an OS update because your vendor isn't ever going to release one, they're too busy introducing a new model that obsoletes your two-month-old phone and whose main differentiator is that the power button is moved 1/200" to the left. Buy the new model, the problem may be patched. If not, try buying the next model that's coming out in three weeks.
Re: (Score:2)
I predict SDTs will spread like wildfire through the live performance community. Exciting news for understudies everywhere!
I could take this comment so many different directions...
At least the Rocky Horror understudies have been exposed so many times that they're immune!
At least something new will spread through the live performance community, it's been a little dull lately...
Of course it'll spread through understudies. Why do you think they call them understudies? *wink*
Isn't this pointless for the average user? (Score:4, Interesting)
From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."
Re: (Score:1)
Re: (Score:1)
From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."
You can disable packet data for the short term until you resolve the issue on your phone. this will make the phone usable (wifi only for data) and text messages still available, but will not use MMS as packet data is required for this.
Re: Isn't this pointless for the average user? (Score:2, Insightful)
Just disable MMS auto-retrieve instead.
Re: (Score:2)
how?
Re: (Score:2)
Fortunately the bug isn't that bad. Because of ASLR and other defence mechanisms in place (as far back as V2.0) the damage it can do is fairly limited. Maybe a really slow, really expensive DOS attack, until you call up and ask your carrier to block MMS.
mitigation (Score:2)
On a stock, non-rooted phone you can disable MMS [trendmicro.com] to provide some degree of protection from this particular exploit.
Although unconfirmed, there are several stagefright booleans [blogspot.com] in /system/build.prop on some phones. Setting them to false might provide some additional protection. Root and a reasonable text editor will be required (i.e., busybox vi), and you should be able to recover from a boot loop before attempting this modification.
Google and Samsung announcing ... (Score:5, Interesting)
>Google and Samsung announcing monthly security updates
I call bullshit.
until they take security seriously (which means backporting fixes to old os's in phones) this is worse then bullshit. its acting like a real fix when, in fact, its stil business as usual. phones will not get updates if the vendor wants to force you to re-re-rebuy yet another phone.
when there is a push to keep selling you things that you already have, you will NOT get software updates or support.
the model is broken by design. apple has it mostly right (although they also actively try to force upgrades on hardware by EOLing perfectly good and working hw) but android/google fucked the chicken, here. they decided to make a monolithic system out of the non-monolithic linux base and there's no fixing this broken-by-design idea. vendors are enjoying their wild-west view of things and anything goes! consumer protection is a thing that we used to have 20+ yrs ago, but no one cares about us anymore.
looking to google to help secure things? HA! samsung? DOUBLE HA!
both are jokes when it comes to software QUALITY. such a shame, too, that such rich companies don't give time or energy to things that truly are important to users.
Re: (Score:2)
In the late nineties I dreamed of the smart home, the smart car, etc. I even played with X10 for awhile and had strongly considered integrating a computer into my car in a fashion that
Re: (Score:3)
I think they're being forced into this by mounting public/press pressure. They're going through the same discovery process that creators of PC software, browsers, and operating systems went through a decade ago (or more recently with Adobe and Oracle). If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.
Re: (Score:2)
The problem is, if they push an update to my phone that breaks it, I'm in the shit.
If my PC doesn't work, I can live without it for a few days, or reinstall the OS. If my phone doesn't work, I can... not get urgent messages when I'm on call.
This is why I avoided getting a smartphone until I no longer had a real choice (I need to run some app to generate login passwords).
Re: (Score:2)
True, but I haven't seen updates pushed without my consent so far on my phone. Also, I suspect the chance of your phone being completely bricked by a security update is pretty low. You probably have a much better chance of accidentally dropping and breaking it.
Still, I do share your fears about mandatory updates. I think Microsoft's Windows 10 update policy for the consumer version is absolute lunacy. It makes sense from a security standpoint, but it's horrible in terms of stability/control for people w
Re: (Score:2)
The real problem here isn't the vendors, it's the carriers.
How fucked would we be if PC users could buy PCs with Windows or OS X installed, but could only get security updates by downloading ISP-signed binaries from Comcast or AT&T's "official" repositories?
Yep, a good point. Apple was the only one with the clout to avoid that nonsense. It's too bad it didn't set a precedent that the rest of the industry followed. Honestly, I think I might be willing to overlook a little bit of collusion if the rest of the manufacturers got together and demanded the same autonomy.
Still, my feeling is that Samsung has probably coordinated with the carriers about more frequent security updates. I don't see any reason they would be resistant to the idea, since it's not all th
Re: (Score:2)
Re: (Score:1)
Ethical Hacking (Score:3)
I'm not saying they should have done it, because of legal exposure, but...
It would have been pretty cool if the Stagefright detection app, also used the vulnerability to patch your system in some way.
I wonder how that would have been received, if it had all worked perfectly and not screwed something up.
Re: (Score:2)
The idea of using the vulnerability to patch the vulnerability comes up pretty regularly, but it's just too risky. The Android ecosystem is diverse, which means that the "patch attack" would have to be properly customized for every device (which also affects attackers, BTW), plus the fact that a non-trivial number of devices are rooted and modified by the users means that there is a subset of devices for which the patch attack cannot be properly customized. Screwing up a patch attack could brick devices, so
End of Rolling Releases (Score:2)
I for once welcome the end of the Google's rolling releases stupidity.
Finally, Android is getting the security updates, as any other mature OS did for literally decades now.
Textra (Score:2)