Huge Security Hole In Recent Samsung Devices

An anonymous reader writes "A huge security hole has been discovered in recent Samsung devices including phones like the Galaxy S2 and S3. It is possible for every user to obtain root due to a custom faulty memory device created by Samsung." The problem affects phones with the Exynos System-on-Chip.

Great

[Billly+Gates]

Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T

Re:Great

[aliquis]

Billy Gates wrote:

Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T

You still prefer that one over your Lumia 920?

Re:Great

That phone has been rootable for ages. It runs Ice Cream Sandwich and even Jellybean quite smoothly with the proper ROM/kernel.

Re:Great

Download samsung-Kies. Easy to upgrade to 2.3 iirc.

Re:Great

[Nerdfest]

Installing anything with Kies is just torturing yourself. A Galaxy S1 runs Jelly Bean quite nicely, and it runs faster than stock 2.1 I find. The next phone I buy will be checked for Cyanogen support before I buy it.

Re:Great

[Billly+Gates]

My POS phone can't even sync with my computer. I was dissapointed in Android until I found out the one I purchased had DRM AT&T software to cripple it. I can't sync anything without outlook, can't backup files, can't even upgrade as a result of this attrocity.

My cap makes using Dropbox an issue. However I do not think it is supported on my ancient version of Android.

I plan to get a dumb phone next when my contract expires. I got ripped off. However, I have spoken to more recent galaxy S users who say they have none of my problems. The Galaxy1 is a rippoff and makes me wish I got something else.

The Lumia can sync with Outlook and files on your computer so it is a plus and not crippled like my dumbphone galaxy is. I know I am probably going to be modded down into an oblivion for this reply, but it is just my bad experience with mine and my frustrations over the years. Maybe yours is better?

Re:Great

[Billly+Gates]

DRM software on it wont let me sync it to any computer. I tried that route.

Re:Great

[kamapuaa]

Google, this is an easy thing to do. I can't guarantee this site but: https://gurde.com/2012/08/how-to-android-jelly-bean-4-1-1-on-galaxy-s-i9000/ is the first result I got.

Re:Great

[Nerdfest]

You should be able to put it into a raw download (hold Vol up + Vol down in off state while plugging uSB into it) mode and use Heimdall, where you can flash a complete image over of it. Poke around for it, it's a fairly easy phone to root, and You'll be much happier with JB on it.

Re:Great

[emag]

I rooted mine 2 years ago, while at a conference. What's been stopping you? CM10 is out for it, and I installed that last week. Of course, Friday my Nexus 4 arrived, so I don't need to touch my SGS1 ever again...

Re:Great

[elashish14]

Why not leave AT&T then?

Re:Great

You should be able to put it into a raw download (hold Vol up + Vol down in off state while plugging uSB into it) mode and use Heimdall, where you can flash a complete image over of it. Poke around for it, it's a fairly easy phone to root, and You'll be much happier with JB on it.

I want to like my iPhone, but Android is just SO OPEN.

Re:Great

[cmdr_tofu]

Galaxy S1 is easy to root! You have to be careful and follow instructions, but it's easy. http://wiki.cyanogenmod.org/wiki/Samsung_Galaxy_S

Also Samsung has it's own update process called Kies, but it won't give you root: http://pages.samsung.com/ca/androidupgrade/English/

I love my Samsung Galaxy S

Re:Great

[stephanruby]

Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T

Finally? There was no reason to wait, you could have rooted your Captivate last year I bet.

With Samsung Kies, you should be able to upgrade your AT&T Captivate all the way to 4.0. That being said, you should root to get Android 4.2 at least (4.0 may be laggy for you, that's why I'm recommending that you root your phone instead, and just jump all the way to whatever is currently available without going through Samsung Kies).

Re:Great

I still have my Galaxy 1 and I can do all the things you listed and am quite happy with it, and I was able to upgrade the firmware beyond 2.1. Of course, I'm not in the US with its overall shitty market.

Re:Great

I guess they just use fastboot and package it inside a custom loader?

Re:Great

[mrbester]

The SGS is pretty much brick proof, even if you screw up the simple root instructions.

Currently running over clocked (Semaphore) CM 10 JVT with no problems.

Re:Great

[mrbester]

Kies is the biggest pile of bloated crapware since Norton.

Re:Great

[Teknikal69]

And I'm stuck with my much newer S Advance on Gingerbread 2.3.6 they never even patched the last exploit for it.

I still love the phone though don't get me wrong it's pretty capable but it's quite sickening the way Samsung ignores it just because the S3 came a few weeks later.

Re:Great

[aliquis]

Maybe yours is better?

That's very off-topic but I don't even own a smartphone :)

I think they are expensive. I likely should get a used one either simple and cheap or one of the latest ones but cheaper than retail (and keep it up to date for longer, as I see things phones like the Galaxy Gio haven't fallen much or at all in price the last 1-1.5 years so getting an old phone and hope for something better to show up for a good price somewhat sooner may not be a path to success.)

I've thought about getting a used S III and was rather close to getting a cheap S III LTE which someone nearby sold (don't ask me why at that price) but the issue for me is that the Nexus 4 in U.S. and parts of the Europe got such an awesome price and better spec (though it supposedly run hot) and may be more future proof. It doesn't list at those prices in Sweden as of now but I have no idea whatever we will have similar prices or ability to get it for similar prices from further down in Europe or if we are screwed. For 4500 SEK for a new Nexus 4 I'd rather pick a "used or opened but new" S III LTE for 2700 SEK as this one was listed for. For 2700-3000 SEK for both however the Nexus 4 will be faster, don't have a PenTile screen, got a good looking though likely easier breakable back side.

The S III got some other advantages though, eventually the S III software do some good things stock Android doesn't. AMOLED is nice to (Nexus 4 got IPS though) but what's more interesting I suppose is the runs hot issue of the Nexus 4 and user replacable battery and microSD-card slot on the S III. Over here the regular S III "only" got 1 GB of RAM which would imho make it seem less future proof but the LTE model got 2 GB so that solve that issue.

To be able to get root as a user is just an advantage to me. However I suppose that might mean user installed applications may also be able to get root access.

Re:Great

Have you tried shoving it up your stanky cunt?

Re:Great

[JayAEU]

Can you please provide a reference to an official Samsung ICS image for the Galaxy S1? Other than that, you'll find it pretty much impossible to upgrade it to 4.0 using Kies.

Re:Great

[Jesus_666]

Unfortunately, you still need to install Kies if you want to flash from Windows; Kiescomes with the required driver. (Technically there are third-party tools supposed to include one but theie driver failed to work for me.)

Re:Great

[myowntrueself]

The SGS is pretty much brick proof, even if you screw up the simple root instructions.

Currently running over clocked (Semaphore) CM 10 JVT with no problems.

Brick proof until the USB connector dies part way through an update. Jjust had that happen, brand new SGS, started to root it, failed, couldn't connect on USB again. Took it back and got a replacement though. I did read somewhere that the USB connectors on these can be dodgy.

Re:Great

[thegarbz]

I know I am probably going to be modded down into an oblivion for this reply, but it is just my bad experience with mine and my frustrations over the years. Maybe yours is better?

The two are related. The Galaxy S was one of the most popular non-iPhones on the market, and for good reason. It was quite capable, competitively priced and very feature rich.

It also is incredibly trivial to install updated ROMs on it and it is typically one of the first phones outside the Nexus series to get a port of any new version of Android. If you want to see what the thing is really capable of head to the XDA-developers forums and lurk a bit. I'm currently running the latest Jelly Bean ROM with many fancy extras (power menus, better home screen etc).

No arguing that Samsung made shitty software. They did. Hell the Galaxy S is the only phone I've ever used where the Android kernel would force close apps because they were too slow writing to a disk due to dodgy file system drivers. But the hardware is (or rather was) for the most part excellent, and has certainly got a lot of people on the Samsung bandwagon for future upgrades.

Re:Great

[cyberchondriac]

Which kernel and ROM? I have an old Fascinate running Gingerbread, and I rooted it, but I'm still using Touch wiz and the default kernel. Anymore it runs like total crap. (Possibly I have too many background processes, but if I kill them they seem to fire right back up).
Since I have an iPhone 5 now I'm not too worried about it, but I still like tinkering. Call me weird, but I like both ios and android, both have pros and cons. I'm getting an android tablet for xmas this year.

Re:Great

Guessing you weren't serious, but you've been able to root/ROM the S1 for just about ever. I had ICS running on mine before I upgraded to my GNex.

Re:Great

[fluffynuts]

you should have checked out CyanogenMod long ago. I just updated to an S3, so sticking with stock for now, but loved CM10 on my old S1. Installation is really simple, very safe (I found the S1 to be un-brickable because no matter what state I got it into, I could always push a ROM with Odin), and you can get Jelly Bean today. Better functionality, reliable alarms (2.1 on my S1 wouldn't bring the phone out of sleep for alarms), and better battery. Go get it.

Re:Great

[nullchar]

Once you root, you need to disable all the built-in shitty apps. I wrote a script to mkdir /system/app/disabled and then mv /system/app/${shittyapp}/ to /system/app/disabled/

Easy to regex search/replace that disable.sh script to undo it (enable.sh) when you want to un-root so you can OTA upgrade (if you so choose).

Script disables I500_BingSearchAndroid_07152010.apk so I can install EnhancedGoogleSearchProvider.apk to "de-Bing".

I'm still on stock Fascinate 2.2 (didn't see the point of 2.3 on this phone, plus the fonts look worse) but rooted with all the bloatware removed and Droidwall, etc installed. I get great battery life with 3G, Wifi, Bluetooth, GPS all turned off - and only turn them on when wanted.

Re:Great

[cyberchondriac]

I got rid of the bloatware already, via Titanium backup. What were they thinking with the whole Bing thing? I found one of the resource hogs of the phone is live wallpaper. I love the look of "plasma', but it just kills the phone.

Huge Security Hole Has Been there all Along

[Press2ToContinue]

Installing any app exposes you - even without explicit permissions apps can do bad things. Let's put this into some perspective, shall we? It's just one more exposure. The real problem is in actually being able to tell what -any- app is currently doing on your device. And that kind of monitoring is no-where in sight.

Re:Huge Security Hole Has Been there all Along

[SternisheFan]

Just a heads-up, I found a pretty good free firewall app, for rooted Android devices, called "Droidwall" (in android's playstore, tools section). No permissions, I've been using it for a few weeks now on my Arnova pre-rooted ICS $99 tablet, works perfectly! Should be sop for all of android. It lets you 'whitelist/deny' internet access for any installed app, useful if you're on a limited data plan.

Re:Huge Security Hole Has Been there all Along

[Threni]

> It's just one more exposure. The real problem is in actually being able to tell what -any- app is currently doing
> on your device. And that kind of monitoring is no-where in sight.

Wrong, and wrong. With this, you can access all the memory on your phone. Clearly with this you CAN tell what's running, You can stop what's running. You can patch what's running. You can do whever you like, This is about as different to the average piece of malware as is possible to get.

Re:Huge Security Hole Has Been there all Along

[GuldKalle]

Damn that was vague. Could you maybe explain what kind of bad things they can do without permission?

And what kind of monitoring do you want? A debugger?

Re:Huge Security Hole Has Been there all Along

[grcumb]

Damn that was vague.

If by 'vague', you mean 'detailed', then yes, it was. 8^)

Could you maybe explain what kind of bad things they can do without permission?

The most damning bit of code is this:

#ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops}, #endif

Basically, it says, "Aw heck, write whatever you like to any memory address anywhere. I mean, we're all friends here. Right?"

Effectively, any installed app can ignore pretty much every single security setting on the phone and do whatever it likes to the running system. Worse, this could be coupled with a vulnerability in an otherwise well-intentioned app to create a remote root exploit.

On the WTF scale, this ranks with the 2008 Debian SSL hole in terms of rank stupidity.

Re:Huge Security Hole Has Been there all Along

[Koutarou]

The absolute worst-case would be to use the elevated access to leverage the superbrick bug (another hole out in the wild on the majority of exynos based phones) and permanently damage the emmc chip, which requires a system-board replacement to revive the phone.

Re:Huge Security Hole Has Been there all Along

Given the popularity of the S2 and S3 I would say a rapidly spreading virus that turns them into a mobile bot net or spyware system would be far worse.

Although bricking them all at once would be massively damaging to Samsung.

Re:Huge Security Hole Has Been there all Along

[teh31337one]

If only someone had found a way to fix this :(

Re:Huge Security Hole Has Been there all Along

Shouldn't that have been == ?

Re:Huge Security Hole Has Been there all Along

[storkus]

That isn't a fix, but merely flimsy cork or finger in the hole. Unfortunately, from what I read (Samsung's version of /dev/mem but with global access), this "hole" is more proverbially along the lines of this bad boy:

http://en.wikipedia.org/wiki/Bingham_Canyon_Mine

In other words, its a hardware design flaw so big it can only be worked around, and even then only poorly.

I'm doubly pissed here because I bought the T-Mobile USA version of the Galaxy Note II (SGH-T889) on the day it came out, and a month before this broke. Luckily, I make a point of not doing financial transactions on it, but what about the other 5M+ GN2 owners as well as international GS3 owners (CAN/AM GS3 uses Snapdragon and is supposedly unaffected...).

Re:Huge Security Hole Has Been there all Along

[mlts]

I like Droidwall, have been using it since the 1.x days. Yes, it does require root, but it is worth using. Oddly enough, on rooted Motorola phones, it takes a while to push the iptables entries out when you tell it to. On HTC phones, it is a lot quicker.

Another app that I used to use was LBE Privacy Guard, but it doesn't work on Andoid 4.1 or newer (will bootloop your phone if you try.) I know it is a free app, but when it worked, it was a very useful tool, as it limited what apps could access (contacts, GPS, phone) without having to manually edit permissions in a manifest file.

Re:Huge Security Hole Has Been there all Along

[SirJorgelOfBorgel]

This is not a hardware design flaw. Whatever makes you think that ? The reason it affects so many Exynos4 devices is because the exploitable code is present in the main code they base most Exynos4 Android firmwares on. It's certainly fixable by Samsung.

Re:Huge Security Hole Has Been there all Along

[JesseMcDonald]

No, it's a definition for array element 14, thus "[14] = ...". There's a newline missing in the comment after "#ifdef CONFIG_EXYNOS_MEM".

Re:Huge Security Hole Has Been there all Along

the code attached to the first post demonstrates how to elevate privileges to root then open a root shell.
If someone had an issue with Samsung they could then brick the device by overwriting the boot loaders
or use the "Super Brick" bug, the permissions set by Samsung devs allow R/W access to kernel memory.

My experience with Samsung devices is that they are easy to root, but Samsung seems to outsource the
software development to North Korea.

Re:Huge Security Hole Has Been there all Along

lol... I don't wanna know what kind of coding you people are growing up on these days..

Re:Huge Security Hole Has Been there all Along

[SternisheFan]

People might not want to use LBE Privacy Guard, it might be a data miner... From Android forums...

LBE Privacy Guard: Possible Malware I installed LBE Privacy on my LG ESteem, and tried it out for for a few days. I uninstalled LBE Privacy Guard a couple days ago, because it kept hassling me to set permissions every time I installed or used a new app. Since I had uninstalled LBE Privacy Guard, my phone has not been able to install new apps properly. Whenever I install a new app, the new app would only work until I reboot my phone. After I reboot my phone, the newly installed apps would fail to launch and give the error message: "the application XXX has stopped unexpectedly. Please try again". That's for every new app I have uninstalled since I had uninstalled LBE Privacy Guard on Wednesday. Another app on my phone, DW Contacts and Phone Dialer Pro, could no longer retain any of my customization settings. DW Contacts popped up an error warning and informed me that the file permission database has some "exception". I immediately knew it's LBE Privacy Guard that had screwed up my phone. I tried re-installing LBE Privacy Guard, and then reboot my phone. As I expected, LBE Privacy Guard has continued to work after multiple reboots. Then I installed a few other apps, but I am still getting the same errors with all other apps. So now LBE Privacy Guard is the ONLY app that has continued to install and work properly after it had screwed up my phone. Then, I googled for information on LBE, and found this: [APP][ROOT] LBE Privacy Guard - Most Powerful privacy protection app for Android - Page 48 - xda-developers Apparently LBE mines user data and is quite shady about doing it, and it also does not like being uninstalled. I suspect LBE made some low-level changes to the permission. It seems to me that everything else (i.e., every new install) has been blocked and denied permission... except LBE itself. http://androidforums.com/esteem-all-things-root/555032-lbe-privacy-guard-possible-malware.html

Re:Huge Security Hole Has Been there all Along

Any root level applications put and change files willy-nilly. It no longer has the application sandboxing and can make permanent changes.

As such, something like LBE Privacy Guard will modify the base files to inject it's code into it. Uninstalling the app may possibly leave behind traces causing crashes. It's possible that an unknown phone like the LG Esteem has modified it's Android core or location of certain files that's causing a compatability issue.

Re:Huge Security Hole Has Been there all Along

Given the popularity of any i devices, I would say a rapidly spreading virus that turns them into a mobile bot net or spyware system would be far worse.

What, you thought root (aka jailbreak) on devices was special to the S3?

Re:Huge Security Hole Has Been there all Along

So your saying that #ifdef == #define?

The C-preprocessors are getting so smart these days.

Re:Huge Security Hole Has Been there all Along

[Asic+Eng]

It's just one file which has the wrong permissions. That's correctable with "chmod". That's not a cork in the hole, it's someone building a huge castle with all sorts of fortifications and then not locking the door. Stupid, but trivially easy to fix.

Re:Huge Security Hole Has Been there all Along

[JesseMcDonald]

No, I'm saying that the original code was:

#ifdef CONFIG_EXYNOS_MEM
[14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops},
#endif

But I suspect you already knew that.

Re:Huge Security Hole Has Been there all Along

No, please read again.

#ifdef CONFIG_EXYNOS_MEM

(stuff happens)

#endif

Re:Huge Security Hole Has Been there all Along

[nullchar]

Except chmod breaks the camera on some devices. Fixes were outlined in the xda-developers thread to white-list specific DMA regions for the camera to function, instead of all lowmem.

Not LTE GS3

This only effects the international S3, the US LTE version uses a Snapdragon CPU.

Re:Not LTE GS3

[xenobyte]

How about the international S3 LTE? - Mine is model GT-I9305

Re:Not LTE GS3

"GT-i9305 Galaxy S III is using an Exynos 4412 quad-core"

3 seconds on Google, come on now kids.

Re:Not LTE GS3

[compro01]

Yes, the I9305 is affected.

The list below is all models affected by this, which includes the international GS2 variant, as well as the Note 1 and 2, Galaxy Tab Plus, and Note 10.1.

GT-I9100
GT-I9300
GT-I9305
GT-N7000
GT-N7100
GT-N7105
SGH-I317
SCH-I605
GT-P6210
GT-N8000
GT-N8010
GT-N8013
GT-N8020

It does not affect the Snapdragon-based I747 (AT&T, Rogers, Bell and other major Canadian carriers) nor the T999 (T-mobile, as well as Canadian AWS carriers like Wind, Mobilicity, and Videotron)

Root

[Nerdfest]

I consider someone *else* running as root a security hole. As long as you need physical access, this is a feature. A phone that will not let you install what you want is broken.

Re:Root

[14erCleaner]

The problem is that this hole will allow any app to read or write to any of memory, allowing trojans.

Re:Root

[Nerdfest]

That's definitely a problem. The way the summary is worded makes it sound like a user having root is a security exploit ... something most hardware and OS manufacturers seem to believe these days. I may have to break tradition and read the article.

Re:Root

Sounds like someone else can too

Re:Root

[Nerdfest]

Looks like someone has a quick fix out. It's an app that sets the perms on the file properly, but it does cause problems with the camera on the S3. The app lets you toggle the permissions on and off so you can still use your camera is you wish. I haven't tried it as I don't have a phone with the hole, but teh XDA guys are pretty reputable: Here it is. Certainly can't complain about the open source community on something like this, although it would have been nice if he reported it to Samsung a little in advance of the release of the problem.

Re:Root

Don't bother. The fandroids will spin this into something to make it seem like it was a win for them all along. I see a lot of this out of them. It makes it hard to take these zealots seriously. Apple fanbois are the same, don't get me wrong. I just hate all techno nazis.

Re:Root

On smartphones, local exploits matter because they mean apps can gain more permissions than they are supposed to have. (This is a much smaller problem on desktops because people don't tend to install programs on desktops anywhere near as much.)

Re:Root

[stephanruby]

The way the summary is worded makes it sound like a user having root is a security exploit ...

The Cleaner is correct. In the case of Android, each application is considered a separate user. That's how applications are sandboxed away from each other. This way, an application only has access to its own files (which reside in its home folder). An application only has access to its own SQlite database instances (which again reside only within its own home folder, since SQLite is file-based, this arrangement works). With its own userid, an application can only access its own process and its own data. Etc.

In other words, Android is an operating system built on top of another operating system and Android doesn't try to completely reinvent the wheel when it comes to security.

Re:Root

[Tough+Love]

The fandroids will spin this into something to make it seem like it was a win for them all along.

Whoa, the fandroids didn't do that! Instead, the fandroids discussed the issues, risks and fixes calmly, intelligently and informatively. Now if only iFans were like that, maybe I wouldn't feel like I got something icky on me after any encounter.

Re:Root

[hawguy]

That's definitely a problem. The way the summary is worded makes it sound like a user having root is a security exploit ... something most hardware and OS manufacturers seem to believe these days. I may have to break tradition and read the article.

For most users, having root *is* a security exploit. Few users know how to tell whether the application they are installing as root is "safe".

Re:Root

although it would have been nice if he reported it to Samsung a little in advance of the release of the problem.

It would have been nice if Samsung hadn't designed, built, and shipped equipment that they had not fully tested.

They didn't. Haul out the good-capitalism arguments for shipping quick as cheaper, but don't say the market-side isn't "nice" for doing whateverinhell it wants about the device after it ships.

Delaying public disclosure of flaws lets a company maintain a reputation it should not have. And it delays public knowledge of the dangerous device they own. When a 'public' researcher finds a flaw, 'private' ones sure as hell already have. Get the word out immediately.

Re:Root

[hawguy]

On smartphones, local exploits matter because they mean apps can gain more permissions than they are supposed to have. (This is a much smaller problem on desktops because people don't tend to install programs on desktops anywhere near as much.)

You've never seen a user click blindly through ActiveX install warnings if you think Desktop users rarely install software.

Re:Root

Well, the important thing is that you've figured out a way to demonstrate your inferiority to both.

Re:Root

And the WinTards will try to use this meaningless story to try and create a shit storm in an effort to get some free publicity for their piece of shit Kin Phones and Kin Tablets that no one wants or cares about.

Re:Root

[Nerdfest]

They can test all they want, but there will be bugs. The trick is to have support in place to patch quickly. Most open source software is very good this way, but most commercial stuff is way behind.

Re:Root

[SirJorgelOfBorgel]

"although it would have been nice if he reported it to Samsung a little in advance of the release of the problem"

While that would have been nice, it is very debatable if it is wise. With Samsung, you just don't know. Security holes have been reported to Samsung that have been fixed nigh instantly, while other well known problems that can cause hard-bricks (device becomes a non-recoverable paperweight) on various devices have been known for almost a year - including the fixes - and the issue is still present in the latest firmwares.

And in the exploit author's defense (as if needed), he actually says somewhere he didn't know whom to contact so he just put it on XDA, assuming it would somehow get to the right people. And even though it is weekend, I'm sure various Samsung engineers on the right levels are aware of the problem :) The not knowing who to contact thing is a valid issue - if you don't have any "ins" at Samsung, it's actually pretty hard getting this kind of information to the right people.

Re:Root

[fredprado]

Nothing can be "fully tested". Things like this happens to any developer and are unavoidable as the code complexity increases.

What is the responsibility of the developer is to fix a security hole such as this as quickly as possible once detected.

Re:Root

[JesseMcDonald]

A device driver which allows programs to mmap any and all physical memory, which defaults to world-writable permissions both in the driver itself and in a system startup script, seems like a bit more than just a "bug". It's more consistent with a complete lack of security-mindedness among the developers and reviewers (if any).

Re:Root

[Tough+Love]

The fandroids will spin this into something to make it seem like it was a win for them all along.

Whoa, the fandroids didn't do that! Instead, the fandroids discussed the issues, risks and fixes calmly, intelligently and informatively. Now if only iFans were like that, maybe I wouldn't feel like I got something icky on me after any encounter.

Oh, iFans have another weapon besides naked fanaticism: they also have Apple spinmods.

Re:Root

[tlhIngan]

I consider someone *else* running as root a security hole. As long as you need physical access, this is a feature. A phone that will not let you install what you want is broken.

So how do you know what you're installing WON'T take advantage of this and break through the Android permissions model? (Permissions system doesn't apply if you have root, after all).

Several Android malware apps have attempted to root the user's phone before, so it's possible that some app you download may try the same. And all they'd need is enough permissions to access that device - probably innocent ones.

In other words - it's a great way to get root on your phone, if you want it. Or a security exploit if an app also roots your phone to download and install some malware. Or install a rootkit, since it allows access to kernel memory(!).

Re:Root

Yes and how easy it will be for Samsung to fix this? It is easy to stop the hole by the fix those guys made but why does it brake the camera functionality? Because the memory is open by design and the camera uses that design? So to fix this would require quite a lot of tinkering from Samsung to work with correct permissions for each "user". Thus fix is unlikely to be released soon.

Re:Root

[epine]

While that would have been nice, it is very debatable if it is wise.

If they ever update The Fifth Discipline: The Art and Practice of the Learning Organization I'm sure they can cull a hundred pages of business-speak blather to make room for an additional chapter on the pernicious feedback loops of responsible disclosure.

Normally we allow markets to punish corporations for sloppy work. Causing grave identity harm to your customer base is the kind of sloppy work deserving of punishment. And then, you know, the innovation of the private sector swoops in, as it must under Hayekian divine law, to save the day.

But no, as usual we turn things upside down when the going gets tough: unpaid security researchers provide valuable QA in hushed conversations to deep-pocketed corporations, who may or may not choose to do anything about it.

Here's a suggestion: if a corporation has any unfixed security flaw they've known about for more than three months, they no longer qualify for responsible disclosure.

Customers when purchasing their toys can check the reputations of vendors in having their responsible disclosure pants down, aka those malingering issues not fixed because they value their bottom line more than their customer's peace of mind. In Hayekian theory, these are supposed to align by the divine grace of the invisible hand, but sometimes society weaves clever narratives to prevent this from happening.

The true Hayekian solution would be to allow security researchers to auction off the fruit of their labour to the highest bidder, black or white. This might be Samsung, should they care enough to protect their reputation by dipping into their bottom line.

Re:Root

This way, an application only has access to its own files (which reside in its home folder).

I've never seen that on any Android phone. For exampe, an app that uses the OI File Manager can browse to and read from any user-accessible files.

Re:Root

Thank you, Slashdot user from 1998.

Re:Root

[spyked]

Mod parent up. It's called the Principle of least privilege, which Unix systems implement using mechanisms like sudo. Having root access on Android systems breaks this to some extent.

Re:Root

[Nerdfest]

You don't. Nor do you know that the web site you browse to or JPG you view doesn't exploit a buffer overflow and break out of its VM sandbox. Same applies for an iPhone and your desktop. Having people able to review the source of the applications is a good start, but there is always some risk.

Re:Root

[AmiMoJo]

Without knowing the nature of these "hard-brick" problems it is difficult to say if Samsung did the right thing but not rushing a fix. When you have tens or hundreds of millions of devices in the field you only rush fixes if they are security critical, not if they can result in something that the service department can fix and that only happens in very unusual circumstances. Fixes can make things unintentionally worse if not carefully tested.

Considering there have been no widespread reports of ordinary user's phones being systematically bricked a quick fix may not have been appropriate.

Re:Root

[stephanruby]

You're right. What I said was a huge oversimplification. What I said really only applies to their home folders.

Re:Root

[jo_ham]

The fandroids will spin this into something to make it seem like it was a win for them all along.

Whoa, the fandroids didn't do that! Instead, the fandroids discussed the issues, risks and fixes calmly, intelligently and informatively. Now if only iFans were like that, maybe I wouldn't feel like I got something icky on me after any encounter.

Oh, iFans have another weapon besides naked fanaticism: they also have Apple spinmods.

And the Fandroids cling to the belief that slashdot is a pro-Apple site, where any moderation of their (actually flamebait and inflammatory) post is somehow down to "spinmods" looking to suppress the message.

If you write an inflammatory post that serves no real purpose other than to bash Apple fans in a story that has nothing to do with them what did you expect? The moderation functions exist outside the realm of highly polarised zealots of both platforms.

Re:Root

[Hillgiant]

Unacceptable. If they (and software/hardware professionals in general) really want the moniker "computer engineer" they need to be able to identify, test, and remove permission escalation bugs like this. I do not expect, nor do I believe it is reasonable to expect, totally bug free design. However, I do not believe it is unreasonable to expect defects of this scale be found and eliminated prior to release. In exactly the same way we expect our planes to not fall from the sky.

Re:Root

[petermgreen]

The real problem is andriod's permission system is broken. Specifically there are two major problems.

1: there is no way for a user to go through the permissions an app wants and decide what permissions it shoudl actually get.
2: there are some privilages apps simply can't get though the normal permissions system even though them would allow the app to be more useful.

"Rooting" works arround problem 2 and I belive can allow the installation of apps that attempt to solve problem 1

 

Re:Root

[fredprado]

You are obviously not a programmer neither an engineer (at least not one that have worked with anything significant). As I said it is impossible. Live with it.

Re:Root

You've never seen a user click blindly through ActiveX install warnings

That's an Internet Explorer thing, right? I'm not sure if I've ever seen anyone anywhere use that.

Re:Root

[scot4875]

Nothing can be "fully tested". Things like this happens to any developer and are unavoidable as the code complexity increases.

Sure they can -- you'd never see something like, say, a drive-by exploit using a PDF on a web page that was able to achieve arbitrary code execution on an Apple device, would you?

--Jeremy

Re:Root

[fredprado]

Or when processing a "maliciously crafted font".

Re:Root

[Tough+Love]

Fandroids cling to the belief that slashdot is a pro-Apple site, where any moderation of their (actually flamebait and inflammatory) post is somehow down to "spinmods" looking to suppress the message.

Don't be silly, Slashdotters are well aware that Slashdot is anything but a pro-Apple site, mainly because of Apple's corporate hubris and unabashed bad acting. But we also know that Apple is a company that stoops to astroturfing.

Re:Root

[SirJorgelOfBorgel]

Who said anything about rushing ? That specific problem has been known for a long time, and most affected devices have received several updates since then. The fix is literally a one-liner in the kernel source, disabling "secure erase". When a user "resets to factory settings" (e.g. wipe all user data) the device performs an erase command. Somewhere in Android 3.x or 4.0 Google changed the default behavior from normal erase to a secure erase. The eMMC chips Samsung used were never properly tested for this, and due to a bug in the firmware of said eMMC chips, the flash memory would be corrupted during a secure erase, rendering the device completely unusable.

It's pretty much a jackpot affair, you hit the factory reset button, x% chance you end up with a full brick. Custom firmware users were much more likely to run into this because often a custom firmware would perform a factory reset upon installation - and a normal user would rarely use this function. But you did not need to run any custom software for this - it can happen on a fully original device without any modifications or even apps installed.

A few months ago, Samsung finally issued a fix - but this fix disabled secure erase being triggered by the format command itself, instead of disabling secure erase in the actual kernel. As a result, custom firmware users would still brick left and right, due to using Google-private update binaries that did not have this call disabled. They put a band-aid on the issue instead of actually fixing it (a one-liner to disable "secure erase" at kernel level (because it never actually works correctly) and revert to "normal erase" always).

Now, I have discussed these issues in person with high-level Samsung engineers, and in their opinion, how they fixed it is correct - even though an exploit like the one presented in this article allows a malicious attacker to hard-brick your device at will, thanks to this eMMC bug. Incidentally, that is exactly what I myself, as well as a number of other developers from the enthusiast community, have kept telling Samsung: with the current solution, all you need is an exploit and a viral app, and you could well end up with millions of hard-bricks.

Note that Samsung does usually warranty on a full hard-brick, so it doesn't have to be a real problem for the end-user, but if this got out of hand, it could easily cost Samsung millions and millions of dollars in repair costs. Just because it hasn't happened yet and it really is not that likely it will occur, it is certainly possible.

Re:Root

Great post!

Re:Root

[nullchar]

Fixes were outlined in the xda-developers thread to white-list specific DMA regions for the camera to function, instead of all lowmem.

LUALZ

there just was niggerbutt on tv in the Cowboys game

LUALLZ DENG!

It's a feature !!

[Taco+Cowboy]

Instead of considering that "security hole" a "security hole", consider it as a "feature".

Just root the damn thing and unlock it !!

Re:It's a feature !!

Instead of considering that "security hole" a "security hole", consider it as a "feature".

Just root the damn thing and unlock it !!

Featurity hole?

Re:It's a feature !!

A glorious security hole that's a feature? We could shorten that to Glory Hole.

Custom faulty memory device?

[wonkey_monkey]

Are you sure it wasn't a faulty custom memory device instead?

Re:Custom faulty memory device?

Haven't you heard about Samsung's new strategy?

1.) Become the go to name in customized faulty memory devices
2.) ?????
3.) Profit

Funny as hell - Google ad.

[Andy+Prough]

The Google ad on the page for TFA states "Root Any Android Device In 1 Touch! Easy To Use Automatic Root Software". Talk about context-sensitive ads!!

920 is a tank

I'm sick of hearing of lumia propaganda from that dieing horse of a company. The 920 is a 185 gram, 10mm tank of poo. It's for people with Stockholme syndrome who try to convince versatile people with compact phones to be stupid like them and walk around with holes in their pants..plus it only runs crappows 8. "Really" smart people have a hTC One S, an iphone 4s, or a nexus 4. The Galaxy sII is also tolerable. Best of the new breed - nexus 4 on cost.

Nokia will always regret not going with android I think.

Fault?

Every user can easily root their device? Sounds like a feature to me.

To actually root ...

[SirJorgelOfBorgel]

Strangely, TFA makes no mention of an app built to actually use this exploit to install SuperSU (root access management app): http://forum.xda-developers.com/showthread.php?t=2050297 - i.e. what most users consider getting rooted.

Of course, this exploit can be used by any app, and a user can use the core exploit manually to install SuperSU (or Superuser) to let Play apps that need root (but don't contain this exploit ;)), but the linked method does all the work for you already.

Google Defence Force Activate...

Form of: denial and accusation of user error.

Re:Google Defence Force Activate...

[Tough+Love]

Form of: denial and accusation of user error.

You're an Apple employee, and you're projecting.

Re:Google Defence Force Activate...

[Tough+Love]

Form of: denial and accusation of user error.

You're an Apple employee, and you're projecting.

and your Apple spinmod friends don't impress me either. Actually, the more you do things like that, the more you Apple people disgust me.

Link

[StuffMaster]

Why did you link to that horrible advertisement of a webpage? Google even gives the Wikipedia page as the first result...

Makes me glad I use an iPhone...

And there are those who wonder why the #1 seller on the market is the iPhone. Perhaps, it is because Apple takes security seriously?

iOS has yet to have a single malware app in its history, other than stuff befalling jailbroken devices. This is a quite sterling record for any popular platform in the computing industry.

Re:Makes me glad I use an iPhone...

[Galestar]

other than stuff befalling jailbroken devices

This is the important part. Walled gardens are inherently more secure, it has nothing to do with Apple's competence.

Re:Makes me glad I use an iPhone...

If Android phones defaulted to Amazon's store, or if Google went to a two tier system (one tier with stuff as they do now, second tier that is thoroughly vetted and rejections are swift and brutal), Android would have far fewer issues.

As for security, Apple's is chiefly based around how good their gatekeeper is. If some app gets through, it will have a field day. Of course, this is mitigated in iOS 6 by the OS asking if an app can have access to photos or contacts, but it doesn't stop an app from going crazy with high-priced SMS messages or just using the phone as a botnet client for spam, DDoS, or other items.

Re:Makes me glad I use an iPhone...

And there are those who wonder why the #1 seller on the market is the iPhone. Perhaps, it is because Apple takes security seriously?

iOS has yet to have a single malware app in its history, other than stuff befalling jailbroken devices. This is a quite sterling record for any popular platform in the computing industry.

You're either extremely stupid or extremely ignorant. Yeah, you're stupid.

Re:Makes me glad I use an iPhone...

[Tough+Love]

Walled gardens are inherently more secure, it has nothing to do with Apple's competence.

Do you have any actual evidence to support that fanciful assertion? Didn't think so.

Re:Makes me glad I use an iPhone...

[Bob9113]

Walled gardens are inherently more secure

Which walled gardens? More secure how? More secure than what?

If the walled garden does a better job of verifying the security than the collection of apps you are comparing it to, then you are right. But that is not an inherent characteristic of the walled garden model any more than it is of any other kind of collection of apps. The question is how strongly the selection process under consideration filters for security.

For example, F-Droid is a repository of Free and Open Source Android software. It is pretty much the opposite of a walled garden, and it is very possible that the F-Droid software is more secure than what is available on Google Play or the iTunes App Store.

The claim that walled gardens are inherently more secure is no more valid than the archaic and discarded notion that proprietary software is inherently more secure than Open Source. The same holds true for the operating system as for the marketplace, for the same reasons.

Re:Makes me glad I use an iPhone...

...it is very possible that the F-Droid software is more secure than what is available on Google Play or the iTunes App Store.

As a potential user, do you define "it is very possible" in the sense that it is very possible that an eggshell and yolk will jump off the floor and assemble itself into an unbroken egg on the counter, or "it is very possible" in the sense that the Sun might rise tomorrow morning? I cannot see how you ascertain the security of F-Droid software, even being the FOSS advocate that I am.

Posting anon to preserve moderations, I'm user 'dotancohen'.

Re:Makes me glad I use an iPhone...

[Elbart]

Why are you excluding jailbreaks? Just because a bug is exploited for a good cause doesn't make it a good security-bug.

Another illegal patent expropriation from Apple

[gelfling]

Tim Cook needs to sue them for that one.

Re:Another illegal patent expropriation from Apple

[WrecklessSandwich]

Tim Cook needs to sue them for that one.

Beat me to it like a redheaded stepchild.

Re:Another illegal patent expropriation from Apple

LOLOLOL me make Apple dig, me FUNNAY

Move along, go replay the same tired trolling elsewhere.

security hole?

[Charliemopps]

How is this even remotely a security hole? Much less a "Huge" one? Owners can gain root access to their own device? God forbid!

Re:security hole?

[countach]

Err, because any app you download can p0wn your phone?

Re:security hole?

[nedlohs]

Because some random app could subvert the permissions it was granted at install and do whatever the hell it wants?

Re:security hole?

[pepsikid]

It's a considerable "security issue" because it may provide a vector through which you could install any app, ringtone, mp3, wallpaper, etc., that you did not buy from the manufacturer (thinking of currently un-rootable devices here). You could disable un-installable apps you mfger wants you to have. You could inspect and monitor your phone's memory and data transactions in such detail as to learn what information your mfgr, or installed apps, harvests from your activity. Heavens, you could finally back up and restore your phonebook from a device with a disabled data port. Enable wifi without a $15/mo service plan! Download your cameraphone pics and videos without using up some of your data ration! Or install a cut-and-paste extension! Freedom is dangerous! Samsung cannot ensure the 'highest customer experience' if the customer can shop around! Or some hog-swill like that.

Disclosure: worked for Samsung Wireless. They're evil.

Re:security hole?

[pepsikid]

...of course, it's the *providers* who demand the crippled firmware, but SS is only too happy to provide the custom lobotomies.

/yes, they have your PIN, PIN2 SIMM and every other number you're asking for.
//yes, the're lying about not having this information, but noone you can get ahold of on the phone has it.

Re:security hole?

This has nothing to do with the discussion here, but SIM PIN-codes are only stored in the SIM-card. The operator might have the original PIN-codes that where set at delivery of the card, but if you have changed it, it is only inside the card.

That is kind of the point with smart cards. You unlock the card with the PIN (the PIN is never sent anywhere else) so that the crypto-engine in the card can start working for you.

However, the operator will probably have the SIM-cards PUK-code, which can be used to reset the PIN in an emergency. Usually, they give you all the codes when delivering the card.

Sony get your lawyers.

[RyuuzakiTetsuya]

Sounds like Samsung is ripping off Sony security.

Quick! Get Kaz Hirai on the phone!

Feature

[Pope+Raymond+Lama]

Dear slashdot,

If a software failure allows an user to gain control of his own device, 'a.k.a." Jail breaking, it is not a "security hole" - it is a freaking FEATURE!
T.F.A. an the headline puts it as if it was a bad thing.

Re:Feature

The problem is that the same feature allows for malware to take control of the device, and considering that makes it very difficult to remove as opposed to a traditional PC...yeah, it is a bad thing. A very bad thing, as apparently it's already being exploited in Android marketplaces.

Re:Feature

Not sure if you fail at understanding basic computer science, didn't read TFA, or what. This security hole allows any app, jailbreak, malware, whatever, to take control of the phone and hide itself from further detection. I.e. it can patch the kernel. Don't be obtuse.

Re:Feature

The wider context is that the exact same set of devices have a bug where if a certain operation is performed you have a non-trivial chance of ending up with what has been called a "superbrick". This hole would allow any app installed from the play store (or otherwise) to invoke that operation, or any other operation it liked without the owners permission.

impeccable timing

[gaiageek]

I was considering purchase of a Galaxy S2 in the next 12 hours. Now I can't justify spending the money on it knowing it has a gaping security hole. Is there a possibility this could affect the similarly spec'd Samsung Galaxy S Advance? It has a STE U8500 chipset so if it's truly only an Exynos chipset vulnerability it should be fine, but this leaves me wondering about Samsung. Perhaps more telling would be waiting to see what, if anything, Samsung does about this.

Re:impeccable timing

Well sir - just go and get that thing. Make sure that ya flash the latest cm10 thingy on it and you're good to go..

Re:impeccable timing

This security hole is simply allowing world read-write on the device file that gives access to the system memory. Once you have root it can easily be fixed on a temporary basis (until next reboot) by making the permissions more restrictive. There is a app on the XDA thread which will apply the fix for you on boot, with the side-effect of making the rear camera on the SIII non-functional while the fix is in place.

I've no idea if Samsung will bother issuing a fix for the S2, but you will be able to get a fix from xda-developers. I wouldn't let this issue stop you from buying a S2.

False, Apple's security deeper

[SuperKendall]

Apple's is chiefly based around how good their gatekeeper is.

No, in fact Apple's security does not rely on that at all. The system is designed to prevent any application, not just Apple vetted ones, from harming the system - otherwise Apple would not allow independent Enterprise deployment as they do since Apple does not review those applications.

Apple's system is deeper than Androids because instead of having one up-front out of context question about the permissions the app should support, instead iOS users are asked if the system should allow access to a protected resource at the time the application (and thus the user) needs it. You aren't asked up front if an app can access contacts, you get asked that when you reach a portion of the app that would like to look into contacts and thus you can decide if you really want it to see contacts for that reason, or back out and not let the app see them.

iOS devices ALSO do not allow installation of apps to external media which was already a monstrous security hole for Android devices; any SD card inserted that was formatted FAT32 could have any portion read and written to by any app.

Re:False, Apple's security deeper

1) Charlie Miller would like to disagree with you with his Command and Control trojan stock ticker app. (Yes, it's out of the store right now, but only because he came out and admitted to it).

2) Deeper than Androids? Is that why there is a jailbreak vulnerability for each and every device it has, usually days before release? Oh wait, that's a feature, not a bug.

3) You still don't know what the app does once it has access to your information, and seriously? The target audience sees a popup and it's an automatic "yes" -- you know, the same group of people who get malwared up because they click yes to the "install" prompt on every executable out there?

Oh wait, you're advocating for a user experience that involves popups -- you know, the same ones that websites have "banned" for years because of the shiity user experience of said sites, and billions of people have installed pop-up blockers? You know the only place I hear has popups now? Porn sites. Not even pirate sites, just porn. There's a reason why Android has NEVER done popups -- beause of the superior user experience, and the notification bar that got copied practically pixel for pixel.

4) Your ignorance is showing agaom with the External media apps remark. Any app placed on the SD care is encrypted by the OS. There's a reason why it's placed in a folder called ".android_secure" ROFL.

Re:False, Apple's security deeper

[dargaud]

iOS devices ALSO do not allow installation of apps to external media which was already a monstrous security hole for Android devices; any SD card inserted that was formatted FAT32 could have any portion read and written to by any app.

Yeah, as opposed to Apple's solution of not putting ANY SD card reader in the first place. Much more secure. Right on.

Re:False, Apple's security deeper

[quacking+duck]

Although Apple's reason for this isn't security but instead to up-sell to a more expensive model, a lack of an SD slot does indeed increase security by physically eliminating one vector for malware to take advantage of.

We see the same principle when some companies disable or seal up USB ports on their employee desktops computers, and of course there's the so-called air gap between the internet and secure internal-only servers.

Each of these decreases usability and convenience, and can be defeated by anyone motivated and savvy enough, but they undeniably increase overall security.

You fail It

(claim that BSaD is a and what supplies more grandiose errors. Future I The mobo blew according tothis And she ran conducted at MIT A dead man walking.

Is that news?

[manu0601]

The page describing the exploit is from september. Is that a news?

Re:Is that news?

[msauve]

If "yesterday" for you is September, you're not keeping up.

tubgi8l

conversation 4nd

How to use this to your advantage

[tanveer1979]

Use this APK to get root and install superSU
http://forum.xda-developers.com/showthread.php?t=2050297

Now, whenever any app asks for root permissions, you will be asked whether you want to give root. This is how it used to work in my older rooted devices.

Removing a Mod

[ohnocitizen]

Commenting to remove an accidental mod, a sad mistake that caused many tears.

Re:Removing a Mod

[ohnocitizen]

Hahahaha, this getting modded down amuses kitty.

How innovative!

Wow, Samsung.

Delete HRS Hotels?

[SpaghettiPattern]

Does that mean the HRS Hotels app can be deleted more easily?

Naah, they obviously would have dealt with preventing that more thoroughly as marketing depts. with deep pockets were involved.

Vlingo bye bye

That made my day. I had to go through all my old apps and disable automatic updates (I disabled it by default for the new ones months ago) but after rooting the phone I finally was able to remove the fr****ng Voice Commands app with the instructions here.

For anyone interested in blocking this

You can use supercurio's non-root fix. Note that it does temporarily stop the front camera on the Galaxy S3 from working.

Issue Update

[wesleyjconnor]

There is no issue, everything is fine.

Sent from my Samsung Galaxy S3

Re:Issue Update

Yea don't worry, everything is fine.

Sent from his Samsung Galaxy S3

Yes, really.

[SuperKendall]

Charlie Miller would like to disagree with you with his Command and Control trojan stock ticker app.

Meanwhile a thousand equivalent apps sit on the Android app store untouched. MORE secure does not mean 100% secure.

After all, even with his stock ticker app what could actually be done via remote commands is still limited to what the sandbox can do. That is defense in depth.

The fact remains iOS is MORE secure than Android.

Deeper than Androids? Is that why there is a jailbreak vulnerability for each and every device it has

Tethered jailbreaks that require physical access to perform are wholly different than Android being mostly useless without rooting it.

The target audience sees a popup and it's an automatic "yes"

It is on Android because you are agreeing to a million things. On iOS it's far less automatic because you are only thinking about one question, and if it doesn't make any sense you just kill the app.

Oh wait, you're advocating for a user experience that involves popups

Yes, at the right time and asked only once. Because that is what leads to better security, not only EVER asking once for a million permissions, or asking every single time (vista) which DOES lead to users simply agreeing.

Any app placed on the SD care is encrypted by the OS.

Yes, encrypted by the device all other applications are running on. You must be REALLY stupid to think everything is encrypted (it is not) or that it's not possible to decrypt and inject (the system does after all).

Basically I'd say it speaks volumes to the confidence of your arguments that you posted AC instead of as a user. Tired of being provably wrong over a long time, how pathetic.