Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Stagefright' Flaw: Compromise Android With Just a Text

Posted by Soulskill on from the much-more-convenient dept.

An anonymous reader writes: Up to 950 million Android phones may be vulnerable to a new exploit involving the Stagefright component of Android, which lets attackers compromise a device through a simple multimedia text — even before the recipient sees it. Researchers from Zimperium zLabs reported the related bugs to Google in April. Google quickly accepted a patch and distributed it to manufacturers, but the researchers say they don't think the manufacturers have yet passed it on to most consumers.

"The weaknesses reside in Stagefright, a media playback tool in Android. They are all "remote code execution" bugs, allowing malicious hackers to infiltrate devices and exfiltrate private data. All attackers would need to send out exploits would be mobile phone numbers, Drake noted. From there, they could send an exploit packaged in a Stagefright multimedia message (MMS), which would let them write code to the device and steal data from sections of the phone that can be reached with Stagefright's permissions. That would allow for recording of audio and video, and snooping on photos stored in SD cards. Bluetooth would also be hackable via Stagefright."

12 of 203 comments (clear)

  1. What benefit to announcing it? by pz · · Score: 3, Insightful

    This group sounds like they acted reasonably and responsibly, letting Google know there was a problem, and submitting good patches to correct the issue.

    If, now, there's some other fundamental impediment to distributing a correction to the bug that does not have to do with Google, but rather with the heaploads of cell phone manufacturers who use Google's code and who may or may not have the ability to distribute the fix, why should the vulnerability be made public? I don't see any apparent upside to the public good.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:What benefit to announcing it? by Anonymous Coward · · Score: 2, Insightful

      Vendors like to sit on their hands when there's no direct incentive to do otherwise. Unless there's a deadline where "bad things happen", they'll sit on their hands forever. The public good is that it teaches the vendors that there's consequences to hand sitting.

    2. Re:What benefit to announcing it? by Bugler412 · · Score: 4, Insightful

      Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

    3. Re:What benefit to announcing it? by Anonymous Coward · · Score: 0, Insightful

      Upside would be forcing carriers and OEMS to actually support their product in an ongoing fashion rather than quietly stopping updates shortly after releasing the device, as is the case with many lower end Android devices

      Cell phones are disposable shit, like so many other disposable shit products of our consumerist society.
      What in the world makes you think the seller (in this case ATT, or Sprint, or Verizon etc...) gives a fuck about you after they've already gotten the Franklin's out of you ? Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then. What are Appletards supposed to do ? Simple, fork over more Franklin's for the new shiny cell phone and the cycle continues on and on. Just look at what happens with hacked cars. And imagine the caos when the fucking internet of things comes along. You'll be at the mercy of those crminals because you've bought into technology that's disposable. And the only way to fix it is to buy more update versions of the same shit. If this is not some kind of completely fucked up situation I don't know what is.

    4. Re:What benefit to announcing it? by Overzeetop · · Score: 2, Insightful

      Verizon doesn't give a rat's ass. You want a fixed phone, come by a new one you fucking turd. Oh, and pay more for the service because fuck you. .

      To those who believe that when they paid $200 for a phone as a guarantee for being able to pay $600-1000/yr for service: Well, in the immortal words of their spokesperson, "Pray I do not alter [the deal] any further"

      --
      Is it just my observation, or are there way too many stupid people in the world?
    5. Re:What benefit to announcing it? by macs4all · · Score: 4, Insightful

      Even Apple is not immune to this. Their very expensive disposable shit is not supported forever, and god forbid should an exploit be found then.

      NOTHING is supported "Forever". It is simply impractical to do so.

      However, if you think the "Support" (or rather, complete lack thereof) that is given to nearly EVERY Android Device has even the SLIGHTEST resemblance to the Support given to iOS devices even several years old (my iPad 2 and iPhone 4s STILL receive OS Updates), you are simply delusional.

    6. Re:What benefit to announcing it? by macs4all · · Score: 4, Insightful

      But the devices won't last forever, so that's not what is being asked of vendors. Support as long as the hardware can reasonably be expected to last in significant numbers is a much shorter period of time and probably not so much of an ask.

      If they don't want to commit for that long, perhaps they should advertise their product as disposable.

      Your point being?

      Apple has hands-down the best track record of supporting less-than-current-generation mobile hardware. Even Google is dropping support for most of the past generations of NEXUS hardware; something they basically stated they wouldn't do.

      And as for all the rest of the Android OEMs: Well, they should simply be ashamed of themselves, period.

  2. value on black market by edxwelch · · Score: 4, Insightful

    So, remote execution vunerbility on nearly 1 billion devices...
    I wonder how much they would have made if they had sold it on the black market, instead of telling Google about it?

  3. Unpaid Blackberry shill... by Rigel47 · · Score: 1, Insightful

    Yep, gonna be that annoying SoB and just make note that my BlackBerry z10 has had no ridiculous remote exploit vulnerabilities like this, has the worlds best messaging platform (BlackBerry Hub), awesome battery life, a rock-solid OS that multi-tasks like a dream. And it can run most all Android apps (though they are sandboxed to prevent their many flaws from compromising the rest of the system).

    Now bring on the BB bashing!

  4. Re:Google dropped the ball being too permissive by Anonymous Coward · · Score: 2, Insightful

    Thats not how open source works though. You cannot force downstream projects to pull upstream fixes.

  5. Re:Root your device. Do not purchase locked device by macs4all · · Score: 2, Insightful

    If you wish to maintain a secure Android device, you must root it yourself. No one else can or will help you until you root.

    So, IOW, for the 99.999999997% of Android Users that don't even know what "rooting" is, let alone how to do it, they are simply SOL until they purchase an iPhone.

  6. Re:Android versions prior to Jelly Bean, version 4 by Karlt1 · · Score: 4, Insightful

    The difference is that when Apple patches a security flaw, every semi-current iPhone user worldwide can install the patch and Apple usually patches the current version and one version back. For instance, the "goto fail" security patch that was released in March 2014 patched every phone back to iPhone 3GS in 2009 (patch for 6.x) and IOS 7.