Slashdot Mirror
Huge Security Hole In Recent Samsung Devices
An anonymous reader writes "A huge security hole has been discovered in recent Samsung devices including phones like the Galaxy S2 and S3. It is possible for every user to obtain root due to a custom faulty memory device created by Samsung." The problem affects phones with the Exynos System-on-Chip.
Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T
http://saveie6.com/
This only effects the international S3, the US LTE version uses a Snapdragon CPU.
I consider someone *else* running as root a security hole. As long as you need physical access, this is a feature. A phone that will not let you install what you want is broken.
Instead of considering that "security hole" a "security hole", consider it as a "feature".
Just root the damn thing and unlock it !!
Muchas Gracias, Señor Edward Snowden !
Are you sure it wasn't a faulty custom memory device instead?
systemd is Roko's Basilisk.
Just a heads-up, I found a pretty good free firewall app, for rooted Android devices, called "Droidwall" (in android's playstore, tools section). No permissions, I've been using it for a few weeks now on my Arnova pre-rooted ICS $99 tablet, works perfectly! Should be sop for all of android. It lets you 'whitelist/deny' internet access for any installed app, useful if you're on a limited data plan.
The Google ad on the page for TFA states "Root Any Android Device In 1 Touch! Easy To Use Automatic Root Software". Talk about context-sensitive ads!!
> It's just one more exposure. The real problem is in actually being able to tell what -any- app is currently doing
> on your device. And that kind of monitoring is no-where in sight.
Wrong, and wrong. With this, you can access all the memory on your phone. Clearly with this you CAN tell what's running, You can stop what's running. You can patch what's running. You can do whever you like, This is about as different to the average piece of malware as is possible to get.
Damn that was vague. Could you maybe explain what kind of bad things they can do without permission?
And what kind of monitoring do you want? A debugger?
What?
Every user can easily root their device? Sounds like a feature to me.
Strangely, TFA makes no mention of an app built to actually use this exploit to install SuperSU (root access management app): http://forum.xda-developers.com/showthread.php?t=2050297 - i.e. what most users consider getting rooted.
Of course, this exploit can be used by any app, and a user can use the core exploit manually to install SuperSU (or Superuser) to let Play apps that need root (but don't contain this exploit ;)), but the linked method does all the work for you already.
Why did you link to that horrible advertisement of a webpage? Google even gives the Wikipedia page as the first result...
other than stuff befalling jailbroken devices
This is the important part. Walled gardens are inherently more secure, it has nothing to do with Apple's competence.
AccountKiller
Damn that was vague.
If by 'vague', you mean 'detailed', then yes, it was. 8^)
Could you maybe explain what kind of bad things they can do without permission?
The most damning bit of code is this:
#ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops}, #endif
Basically, it says, "Aw heck, write whatever you like to any memory address anywhere. I mean, we're all friends here. Right?"
Effectively, any installed app can ignore pretty much every single security setting on the phone and do whatever it likes to the running system. Worse, this could be coupled with a vulnerability in an otherwise well-intentioned app to create a remote root exploit.
On the WTF scale, this ranks with the 2008 Debian SSL hole in terms of rank stupidity.
Crumb's Corollary: Never bring a knife to a bun fight.
Tim Cook needs to sue them for that one.
How is this even remotely a security hole? Much less a "Huge" one? Owners can gain root access to their own device? God forbid!
The absolute worst-case would be to use the elevated access to leverage the superbrick bug (another hole out in the wild on the majority of exynos based phones) and permanently damage the emmc chip, which requires a system-board replacement to revive the phone.
Form of: denial and accusation of user error.
You're an Apple employee, and you're projecting.
When all you have is a hammer, every problem starts to look like a thumb.
Sounds like Samsung is ripping off Sony security.
Quick! Get Kaz Hirai on the phone!
Non impediti ratione cogitationus.
If Android phones defaulted to Amazon's store, or if Google went to a two tier system (one tier with stuff as they do now, second tier that is thoroughly vetted and rejections are swift and brutal), Android would have far fewer issues.
As for security, Apple's is chiefly based around how good their gatekeeper is. If some app gets through, it will have a field day. Of course, this is mitigated in iOS 6 by the OS asking if an app can have access to photos or contacts, but it doesn't stop an app from going crazy with high-priced SMS messages or just using the phone as a botnet client for spam, DDoS, or other items.
Given the popularity of the S2 and S3 I would say a rapidly spreading virus that turns them into a mobile bot net or spyware system would be far worse.
Although bricking them all at once would be massively damaging to Samsung.
I was considering purchase of a Galaxy S2 in the next 12 hours. Now I can't justify spending the money on it knowing it has a gaping security hole. Is there a possibility this could affect the similarly spec'd Samsung Galaxy S Advance? It has a STE U8500 chipset so if it's truly only an Exynos chipset vulnerability it should be fine, but this leaves me wondering about Samsung. Perhaps more telling would be waiting to see what, if anything, Samsung does about this.
www.gaiageek.com
If only someone had found a way to fix this :(
Shouldn't that have been == ?
The problem is that the same feature allows for malware to take control of the device, and considering that makes it very difficult to remove as opposed to a traditional PC...yeah, it is a bad thing. A very bad thing, as apparently it's already being exploited in Android marketplaces.
And there are those who wonder why the #1 seller on the market is the iPhone. Perhaps, it is because Apple takes security seriously?
iOS has yet to have a single malware app in its history, other than stuff befalling jailbroken devices. This is a quite sterling record for any popular platform in the computing industry.
You're either extremely stupid or extremely ignorant. Yeah, you're stupid.
Apple's is chiefly based around how good their gatekeeper is.
No, in fact Apple's security does not rely on that at all. The system is designed to prevent any application, not just Apple vetted ones, from harming the system - otherwise Apple would not allow independent Enterprise deployment as they do since Apple does not review those applications.
Apple's system is deeper than Androids because instead of having one up-front out of context question about the permissions the app should support, instead iOS users are asked if the system should allow access to a protected resource at the time the application (and thus the user) needs it. You aren't asked up front if an app can access contacts, you get asked that when you reach a portion of the app that would like to look into contacts and thus you can decide if you really want it to see contacts for that reason, or back out and not let the app see them.
iOS devices ALSO do not allow installation of apps to external media which was already a monstrous security hole for Android devices; any SD card inserted that was formatted FAT32 could have any portion read and written to by any app.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That isn't a fix, but merely flimsy cork or finger in the hole. Unfortunately, from what I read (Samsung's version of /dev/mem but with global access), this "hole" is more proverbially along the lines of this bad boy:
http://en.wikipedia.org/wiki/Bingham_Canyon_Mine
In other words, its a hardware design flaw so big it can only be worked around, and even then only poorly.
I'm doubly pissed here because I bought the T-Mobile USA version of the Galaxy Note II (SGH-T889) on the day it came out, and a month before this broke. Luckily, I make a point of not doing financial transactions on it, but what about the other 5M+ GN2 owners as well as international GS3 owners (CAN/AM GS3 uses Snapdragon and is supposedly unaffected...).
Not sure if you fail at understanding basic computer science, didn't read TFA, or what. This security hole allows any app, jailbreak, malware, whatever, to take control of the phone and hide itself from further detection. I.e. it can patch the kernel. Don't be obtuse.
I like Droidwall, have been using it since the 1.x days. Yes, it does require root, but it is worth using. Oddly enough, on rooted Motorola phones, it takes a while to push the iptables entries out when you tell it to. On HTC phones, it is a lot quicker.
Another app that I used to use was LBE Privacy Guard, but it doesn't work on Andoid 4.1 or newer (will bootloop your phone if you try.) I know it is a free app, but when it worked, it was a very useful tool, as it limited what apps could access (contacts, GPS, phone) without having to manually edit permissions in a manifest file.
This is not a hardware design flaw. Whatever makes you think that ? The reason it affects so many Exynos4 devices is because the exploitable code is present in the main code they base most Exynos4 Android firmwares on. It's certainly fixable by Samsung.
No, it's a definition for array element 14, thus "[14] = ...". There's a newline missing in the comment after "#ifdef CONFIG_EXYNOS_MEM".
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
The page describing the exploit is from september. Is that a news?
the code attached to the first post demonstrates how to elevate privileges to root then open a root shell.
If someone had an issue with Samsung they could then brick the device by overwriting the boot loaders
or use the "Super Brick" bug, the permissions set by Samsung devs allow R/W access to kernel memory.
My experience with Samsung devices is that they are easy to root, but Samsung seems to outsource the
software development to North Korea.
lol... I don't wanna know what kind of coding you people are growing up on these days..
LBE Privacy Guard: Possible Malware I installed LBE Privacy on my LG ESteem, and tried it out for for a few days. I uninstalled LBE Privacy Guard a couple days ago, because it kept hassling me to set permissions every time I installed or used a new app. Since I had uninstalled LBE Privacy Guard, my phone has not been able to install new apps properly. Whenever I install a new app, the new app would only work until I reboot my phone. After I reboot my phone, the newly installed apps would fail to launch and give the error message: "the application XXX has stopped unexpectedly. Please try again". That's for every new app I have uninstalled since I had uninstalled LBE Privacy Guard on Wednesday. Another app on my phone, DW Contacts and Phone Dialer Pro, could no longer retain any of my customization settings. DW Contacts popped up an error warning and informed me that the file permission database has some "exception". I immediately knew it's LBE Privacy Guard that had screwed up my phone. I tried re-installing LBE Privacy Guard, and then reboot my phone. As I expected, LBE Privacy Guard has continued to work after multiple reboots. Then I installed a few other apps, but I am still getting the same errors with all other apps. So now LBE Privacy Guard is the ONLY app that has continued to install and work properly after it had screwed up my phone. Then, I googled for information on LBE, and found this: [APP][ROOT] LBE Privacy Guard - Most Powerful privacy protection app for Android - Page 48 - xda-developers Apparently LBE mines user data and is quite shady about doing it, and it also does not like being uninstalled. I suspect LBE made some low-level changes to the permission. It seems to me that everything else (i.e., every new install) has been blocked and denied permission... except LBE itself. http://androidforums.com/esteem-all-things-root/555032-lbe-privacy-guard-possible-malware.html
Form of: denial and accusation of user error.
You're an Apple employee, and you're projecting.
and your Apple spinmod friends don't impress me either. Actually, the more you do things like that, the more you Apple people disgust me.
When all you have is a hammer, every problem starts to look like a thumb.
Walled gardens are inherently more secure, it has nothing to do with Apple's competence.
Do you have any actual evidence to support that fanciful assertion? Didn't think so.
When all you have is a hammer, every problem starts to look like a thumb.
Use this APK to get root and install superSU
http://forum.xda-developers.com/showthread.php?t=2050297
Now, whenever any app asks for root permissions, you will be asked whether you want to give root. This is how it used to work in my older rooted devices.
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
Commenting to remove an accidental mod, a sad mistake that caused many tears.
Walled gardens are inherently more secure
Which walled gardens? More secure how? More secure than what?
If the walled garden does a better job of verifying the security than the collection of apps you are comparing it to, then you are right. But that is not an inherent characteristic of the walled garden model any more than it is of any other kind of collection of apps. The question is how strongly the selection process under consideration filters for security.
For example, F-Droid is a repository of Free and Open Source Android software. It is pretty much the opposite of a walled garden, and it is very possible that the F-Droid software is more secure than what is available on Google Play or the iTunes App Store.
The claim that walled gardens are inherently more secure is no more valid than the archaic and discarded notion that proprietary software is inherently more secure than Open Source. The same holds true for the operating system as for the marketplace, for the same reasons.
Stop-Prism.org: Opt Out of Surveillance
Wow, Samsung.
Any root level applications put and change files willy-nilly. It no longer has the application sandboxing and can make permanent changes.
As such, something like LBE Privacy Guard will modify the base files to inject it's code into it. Uninstalling the app may possibly leave behind traces causing crashes. It's possible that an unknown phone like the LG Esteem has modified it's Android core or location of certain files that's causing a compatability issue.
Given the popularity of any i devices, I would say a rapidly spreading virus that turns them into a mobile bot net or spyware system would be far worse.
What, you thought root (aka jailbreak) on devices was special to the S3?
...it is very possible that the F-Droid software is more secure than what is available on Google Play or the iTunes App Store.
As a potential user, do you define "it is very possible" in the sense that it is very possible that an eggshell and yolk will jump off the floor and assemble itself into an unbroken egg on the counter, or "it is very possible" in the sense that the Sun might rise tomorrow morning? I cannot see how you ascertain the security of F-Droid software, even being the FOSS advocate that I am.
Posting anon to preserve moderations, I'm user 'dotancohen'.
Does that mean the HRS Hotels app can be deleted more easily?
Naah, they obviously would have dealt with preventing that more thoroughly as marketing depts. with deep pockets were involved.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Why are you excluding jailbreaks? Just because a bug is exploited for a good cause doesn't make it a good security-bug.
That made my day. I had to go through all my old apps and disable automatic updates (I disabled it by default for the new ones months ago) but after rooting the phone I finally was able to remove the fr****ng Voice Commands app with the instructions here.
You can use supercurio's non-root fix. Note that it does temporarily stop the front camera on the Galaxy S3 from working.
So your saying that #ifdef == #define?
The C-preprocessors are getting so smart these days.
There is no issue, everything is fine.
Sent from my Samsung Galaxy S3
http://www.awfullybigmoustache.com
It's just one file which has the wrong permissions. That's correctable with "chmod". That's not a cork in the hole, it's someone building a huge castle with all sorts of fortifications and then not locking the door. Stupid, but trivially easy to fix.
No, I'm saying that the original code was:
But I suspect you already knew that.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
No, please read again.
#ifdef CONFIG_EXYNOS_MEM
(stuff happens)
#endif
The wider context is that the exact same set of devices have a bug where if a certain operation is performed you have a non-trivial chance of ending up with what has been called a "superbrick". This hole would allow any app installed from the play store (or otherwise) to invoke that operation, or any other operation it liked without the owners permission.
Except chmod breaks the camera on some devices. Fixes were outlined in the xda-developers thread to white-list specific DMA regions for the camera to function, instead of all lowmem.
Charlie Miller would like to disagree with you with his Command and Control trojan stock ticker app.
Meanwhile a thousand equivalent apps sit on the Android app store untouched. MORE secure does not mean 100% secure.
After all, even with his stock ticker app what could actually be done via remote commands is still limited to what the sandbox can do. That is defense in depth.
The fact remains iOS is MORE secure than Android.
Deeper than Androids? Is that why there is a jailbreak vulnerability for each and every device it has
Tethered jailbreaks that require physical access to perform are wholly different than Android being mostly useless without rooting it.
The target audience sees a popup and it's an automatic "yes"
It is on Android because you are agreeing to a million things. On iOS it's far less automatic because you are only thinking about one question, and if it doesn't make any sense you just kill the app.
Oh wait, you're advocating for a user experience that involves popups
Yes, at the right time and asked only once. Because that is what leads to better security, not only EVER asking once for a million permissions, or asking every single time (vista) which DOES lead to users simply agreeing.
Any app placed on the SD care is encrypted by the OS.
Yes, encrypted by the device all other applications are running on. You must be REALLY stupid to think everything is encrypted (it is not) or that it's not possible to decrypt and inject (the system does after all).
Basically I'd say it speaks volumes to the confidence of your arguments that you posted AC instead of as a user. Tired of being provably wrong over a long time, how pathetic.
"There is more worth loving than we have strength to love." - Brian Jay Stanley