Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Android Google Security

Zimperium Releases Stagefright Detection Tool and Vulnerability Demo Video 54

Mark Wilson writes: We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates. Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.
This discussion has been archived. No new comments can be posted.

Zimperium Releases Stagefright Detection Tool and Vulnerability Demo Video

Comments Filter:
  • Maybe Dice can get on FristPost/GNAA Detection Tool? Nah...that would require programming talent.
  • by TWX ( 665546 ) on Thursday August 06, 2015 @09:40PM (#50266935)
    A security vulnerability discussion on Slashdot that's over 30 minutes old and has no posts relevant to the content (including this one), and instead has three trolls, one reaction to a troll, and one comment on the fall of Slashdot.

    I really did not expect to see this.
    • I really did not expect to see this.

      At least Goatse hasn't made an appearance. You *really* don't expect to see that.

    • by AmiMoJo ( 196126 )

      It's not all that interesting. The severity of this vulnerability is low because since way back in the 2.0 days Android has had ASLR enabled by default in the kernel, which largely mitigates it.

      Defensive security measures like ASLR do a lot to mitigate the severity of new exploits, which is why you don't see sudden mass infections the way you used to back in the XP days. Some people love to soil their pants every time some new "critical" exploit comes along, ranting like lunatics that Android/iOS/Windows is

    • the fall of Slashdot.

      Yep. I started reading it this week after a year away and it's a shadow of its former self. Zero content.

      A USEFUL article summary would have told you to go to the messaging options page on your phone and disable automatic MMS retrieval. That will protect you from the vulnerability.

      Instead we have all this useless crap about updating the OS (if you even can!!) and how millions of Android devices are about to be rooted, etc.

    • Yet we keep coming back here.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday August 06, 2015 @09:56PM (#50266975) Homepage Journal

    Well, on my Transformer Prime, anyway. The unlock tool doesn't work on it, so I have quite an uphill battle ahead of me upgrading it...

    • I ran it too and what the app told me wasn't immediately useful. When I checked on Google Play, others had said the same. So I installed Lookout Security's Stagefright detector and it not only told me my devices were vulnerable, it also linked to helpful instructions to change my settings and avoid the problem.

      You can install it from here: https://play.google.com/store/... [google.com]

      Lookout's blog page has details about the app and how to make sure your messaging apps are safe from the exploit: https://blog.look [lookout.com]
    • This reveals whether a device is vulnerable, and indicates whether an OS update is needed.

      Of course you're never going to get an OS update because your vendor isn't ever going to release one, they're too busy introducing a new model that obsoletes your two-month-old phone and whose main differentiator is that the power button is moved 1/200" to the left. Buy the new model, the problem may be patched. If not, try buying the next model that's coming out in three weeks.

  • by Joe Gillian ( 3683399 ) on Thursday August 06, 2015 @09:57PM (#50266989)

    From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

    • You can use a program like Textra as your main SMS program. It has security built in to prevent Stagefright.
    • by Anonymous Coward

      From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

      You can disable packet data for the short term until you resolve the issue on your phone. this will make the phone usable (wifi only for data) and text messages still available, but will not use MMS as packet data is required for this.

    • by AmiMoJo ( 196126 )

      Fortunately the bug isn't that bad. Because of ASLR and other defence mechanisms in place (as far back as V2.0) the damage it can do is fairly limited. Maybe a really slow, really expensive DOS attack, until you call up and ask your carrier to block MMS.

    • On a stock, non-rooted phone you can disable MMS [trendmicro.com] to provide some degree of protection from this particular exploit.

      Although unconfirmed, there are several stagefright booleans [blogspot.com] in /system/build.prop on some phones. Setting them to false might provide some additional protection. Root and a reasonable text editor will be required (i.e., busybox vi), and you should be able to recover from a boot loop before attempting this modification.

  • by TheGratefulNet ( 143330 ) on Thursday August 06, 2015 @10:01PM (#50266999)

    >Google and Samsung announcing monthly security updates

    I call bullshit.

    until they take security seriously (which means backporting fixes to old os's in phones) this is worse then bullshit. its acting like a real fix when, in fact, its stil business as usual. phones will not get updates if the vendor wants to force you to re-re-rebuy yet another phone.

    when there is a push to keep selling you things that you already have, you will NOT get software updates or support.

    the model is broken by design. apple has it mostly right (although they also actively try to force upgrades on hardware by EOLing perfectly good and working hw) but android/google fucked the chicken, here. they decided to make a monolithic system out of the non-monolithic linux base and there's no fixing this broken-by-design idea. vendors are enjoying their wild-west view of things and anything goes! consumer protection is a thing that we used to have 20+ yrs ago, but no one cares about us anymore.

    looking to google to help secure things? HA! samsung? DOUBLE HA!

    both are jokes when it comes to software QUALITY. such a shame, too, that such rich companies don't give time or energy to things that truly are important to users.

    • by TWX ( 665546 )
      No one takes security seriously anymore. Everyone's chasing features. End-users simply don't care because there are so many of them that it's impossible to dramatically affect enough of them to build a movement against shoddy software. Everyone knows of someone that had problems yet it's just considered a fact of life.

      In the late nineties I dreamed of the smart home, the smart car, etc. I even played with X10 for awhile and had strongly considered integrating a computer into my car in a fashion that
    • I think they're being forced into this by mounting public/press pressure. They're going through the same discovery process that creators of PC software, browsers, and operating systems went through a decade ago (or more recently with Adobe and Oracle). If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.

      • by 0123456 ( 636235 )

        The problem is, if they push an update to my phone that breaks it, I'm in the shit.

        If my PC doesn't work, I can live without it for a few days, or reinstall the OS. If my phone doesn't work, I can... not get urgent messages when I'm on call.

        This is why I avoided getting a smartphone until I no longer had a real choice (I need to run some app to generate login passwords).

        • True, but I haven't seen updates pushed without my consent so far on my phone. Also, I suspect the chance of your phone being completely bricked by a security update is pretty low. You probably have a much better chance of accidentally dropping and breaking it.

          Still, I do share your fears about mandatory updates. I think Microsoft's Windows 10 update policy for the consumer version is absolute lunacy. It makes sense from a security standpoint, but it's horrible in terms of stability/control for people w

    • by nnull ( 1148259 )
      Add to this locked bootloaders and then the second OS Baseband that's completely riddled with bugs and exploits. None of these phones are really secure, even Iphones. Every time I look at my phone I cringe. It annoys the crap out of me that I have no clue what its doing behind the scenes while on a mobile network.
  • by SuperKendall ( 25149 ) on Thursday August 06, 2015 @10:27PM (#50267071)

    I'm not saying they should have done it, because of legal exposure, but...

    It would have been pretty cool if the Stagefright detection app, also used the vulnerability to patch your system in some way.

    I wonder how that would have been received, if it had all worked perfectly and not screwed something up.

    • The idea of using the vulnerability to patch the vulnerability comes up pretty regularly, but it's just too risky. The Android ecosystem is diverse, which means that the "patch attack" would have to be properly customized for every device (which also affects attackers, BTW), plus the fact that a non-trivial number of devices are rooted and modified by the users means that there is a subset of devices for which the patch attack cannot be properly customized. Screwing up a patch attack could brick devices, so

  • I for once welcome the end of the Google's rolling releases stupidity.

    Finally, Android is getting the security updates, as any other mature OS did for literally decades now.

  • My texting app, Textra, updated last weekend with builtin Stagefright protection.

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.

Working...