Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher To Release Web-Based Android Attack

Posted by timothy on from the oopsie-daisy dept.

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

22 of 136 comments (clear)

  1. Anything that gets phone makers to update... by mykos · · Score: 3, Insightful

    So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

    As an aside, does anyone know what phone makers are good about keeping updates coming?

    1. Re:Anything that gets phone makers to update... by Anonymous Coward · · Score: 2, Informative

      Still waiting for 2.2 from Samsung... so not them!

    2. Re:Anything that gets phone makers to update... by cheater512 · · Score: 4, Interesting

      N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
      Also half the price of similar phones.

    3. Re:Anything that gets phone makers to update... by stoolpigeon · · Score: 3, Informative

      If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    4. Re:Anything that gets phone makers to update... by rmcd · · Score: 2, Insightful

      One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

      The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

      I don't think this is as trivial a problem as some of the commenters would suggest.

    5. Re:Anything that gets phone makers to update... by Johnny+O · · Score: 3, Informative

      Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.

    6. Re:Anything that gets phone makers to update... by bhagwad · · Score: 4, Interesting

      Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D

    7. Re:Anything that gets phone makers to update... by Zarf · · Score: 2, Informative

      Motorola Droid has had every update so far.

      --
      [signature]
    8. Re:Anything that gets phone makers to update... by toastar · · Score: 2, Insightful

      If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.

      If you have root like I do, you probably have had froyo for months

    9. Re:Anything that gets phone makers to update... by peragrin · · Score: 2, Insightful

      And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.

        So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

      --
      i thought once I was found, but it was only a dream.
    10. Re:Anything that gets phone makers to update... by jeffmeden · · Score: 2, Insightful

      If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?

    11. Re:Anything that gets phone makers to update... by GooberToo · · Score: 2, Informative

      By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.

      Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because they cover every market segment; including the "cheap" market to well beyond what Apple currently provides.

  2. Apple = "Jailbreak", Android = "Risk"? by TaoPhoenix · · Score: 2

    Isn't this roughly similar to the effects obtained by the earlier exploits on iOS? However, there many users first feeling was some relief from the monolithic Apple gate system, but here on Android the spin feels more like traditional tech news.

    --
    My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
  3. Risk outweighs benefit by tepples · · Score: 2, Insightful

    Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?

    Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.

    1. Re:Risk outweighs benefit by the_humeister · · Score: 2, Interesting

      Even if you do have an AT&T Android phone, which I do, it is still possible to use apk (a tool found in the Android SDK) to transfer programs to the phone. It's pretty simple to use too. Of course, to get rid of the crapware AT&T installs, rooting is still required.

  4. Re:That so called Researcher should be arrested by sitharus · · Score: 4, Insightful

    Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.

    Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

    --
    --sitharus
  5. Re:That so called Researcher should be arrested by jhigh · · Score: 3, Interesting

    "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

    How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

    Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

    He is publishing code that can be used to exploit a vulnerability. This could be used for malicious purposes, or it could be used for security demonstrations, as an example to be taught to infosec students or any of a ton of other academic and/or security-related purposes. He is not actually using the code to do anything malicious. Please tell me exactly what statute he is in violation of? Are you saying that no one should ever publish code for exploits?

    --
    Social Engineering Expert: Because there is no patch for stupidity.
  6. Re:That so called Researcher should be arrested by phantomfive · · Score: 2, Informative

    This is a known exploit, Google has patched it. It isn't like this is some secret thing that no one would have known about if he didn't release it; anyone who actually cares (and has the technical ability) already has the exploit. So he is not harming you really.

    Typically it is considered bad form for security researchers to release exploits before informing the manufacturer. Once the manufacturer has long enough to fix it, if then it is ok to release it. Experience has shown that sometimes this is the only way to pressure manufacturers into patching it.

    Another use for the code is so you can learn. I appreciate it when researchers release the code; a lot of hackers try to keep their techniques secret, and we are all worse off for it.

    --
    Qxe4
  7. Class Action Lawsuit? by JSBiff · · Score: 3, Insightful

    I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

    Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

    It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.

    1. Re:Class Action Lawsuit? by getto+man+d · · Score: 2, Interesting

      Google and the hardware manufacturers are both to blame; Google (for the reasons you stated) and the manufacturers for adding in their 'own' elements departing steadily from vanilla android.

      I've seen many comments on /. how Android is amazing, especially since it is fragmented (linux and windows arguments) but this is the worst possible case for the mobile platform, IMHO. Unless of course you don't mind upgrading your phone every 'x' amount of years. Some of us don't have the spare $$ and truly want a device that is current without modding.

    2. Re:Class Action Lawsuit? by Woek · · Score: 2, Interesting

      One of the selling points of the Google Nexus One phone was direct support from Google, and therefore the quickest updates. The phone is quite a bit more expensive than the HTC desire/incredible, which is practically the same phone.

    3. Re:Class Action Lawsuit? by TimTucker · · Score: 2, Interesting

      This was also a selling point of the ADP1 (basically the developer version of the G1). Some of us did shell out early for an unsubsidized Android phone with the expectation that it would be directly supported by Google.