Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher To Release Web-Based Android Attack

Posted by timothy on from the oopsie-daisy dept.

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

8 of 136 comments (clear)

  1. Anything that gets phone makers to update... by mykos · · Score: 3, Insightful

    So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

    As an aside, does anyone know what phone makers are good about keeping updates coming?

    1. Re:Anything that gets phone makers to update... by cheater512 · · Score: 4, Interesting

      N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
      Also half the price of similar phones.

    2. Re:Anything that gets phone makers to update... by stoolpigeon · · Score: 3, Informative

      If you are on the Galaxy S like I am, Froyo started rolling out today in the UK - hoping the US is not far behind.

      --
      It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
    3. Re:Anything that gets phone makers to update... by Johnny+O · · Score: 3, Informative

      Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.

    4. Re:Anything that gets phone makers to update... by bhagwad · · Score: 4, Interesting

      Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D

  2. Re:That so called Researcher should be arrested by sitharus · · Score: 4, Insightful

    Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.

    Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

    --
    --sitharus
  3. Re:That so called Researcher should be arrested by jhigh · · Score: 3, Interesting

    "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

    How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

    Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

    He is publishing code that can be used to exploit a vulnerability. This could be used for malicious purposes, or it could be used for security demonstrations, as an example to be taught to infosec students or any of a ton of other academic and/or security-related purposes. He is not actually using the code to do anything malicious. Please tell me exactly what statute he is in violation of? Are you saying that no one should ever publish code for exploits?

    --
    Social Engineering Expert: Because there is no patch for stupidity.
  4. Class Action Lawsuit? by JSBiff · · Score: 3, Insightful

    I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

    Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

    It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.