Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher To Release Web-Based Android Attack

Posted by timothy on from the oopsie-daisy dept.

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

10 of 136 comments (clear)

  1. Anything that gets phone makers to update... by mykos · · Score: 3, Insightful

    So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

    As an aside, does anyone know what phone makers are good about keeping updates coming?

    1. Re:Anything that gets phone makers to update... by rmcd · · Score: 2, Insightful

      One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

      The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

      I don't think this is as trivial a problem as some of the commenters would suggest.

    2. Re:Anything that gets phone makers to update... by toastar · · Score: 2, Insightful

      If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.

      If you have root like I do, you probably have had froyo for months

    3. Re:Anything that gets phone makers to update... by mini+me · · Score: 1, Insightful

      Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.

    4. Re:Anything that gets phone makers to update... by khchung · · Score: 1, Insightful

      Won't it be nice if someone sues a carrier for not providing updates

      So you would be happy to encourage carriers to pick phones that do not have updates so they won't be liable for not providing the updates to customers?

      --
      Oliver.
    5. Re:Anything that gets phone makers to update... by peragrin · · Score: 2, Insightful

      And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.

        So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

      --
      i thought once I was found, but it was only a dream.
    6. Re:Anything that gets phone makers to update... by jeffmeden · · Score: 2, Insightful

      If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?

  2. Risk outweighs benefit by tepples · · Score: 2, Insightful

    Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?

    Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.

  3. Re:That so called Researcher should be arrested by sitharus · · Score: 4, Insightful

    Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.

    Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

    --
    --sitharus
  4. Class Action Lawsuit? by JSBiff · · Score: 3, Insightful

    I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

    Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

    It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.