Zimperium Releases Stagefright Detection Tool and Vulnerability Demo Video

Mark Wilson writes: We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates. Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.

Re:frist post!!!

Okay then.

Dice: FristPost/GNAA Detection Tool?

[Irate+Engineer]

Maybe Dice can get on FristPost/GNAA Detection Tool? Nah...that would require programming talent.

The mighty have fallen

[TWX]

A security vulnerability discussion on Slashdot that's over 30 minutes old and has no posts relevant to the content (including this one), and instead has three trolls, one reaction to a troll, and one comment on the fall of Slashdot.

I really did not expect to see this.

Re:The mighty have fallen

[Irate+Engineer]

I really did not expect to see this.

At least Goatse hasn't made an appearance. You *really* don't expect to see that.

Re: The mighty have fallen

No one expects the goatse inquisition!

Re:The mighty have fallen

A security vulnerability discussion on Slashdot that's over 30 minutes old and has no posts relevant to the content (including this one), and instead has three trolls, one reaction to a troll, and one comment on the fall of Slashdot.

I think this has a lot to do with the amount of details provided.
The only information I got from reading the summary and the article is that a company wants me to download their app so that it can tell me that I have a vulnerability.
If you have seen malware and fishing attempts that provides more technical information than the article then there isn't much left to do than trolling.

Re:The mighty have fallen

I really did not expect to see this.

At least Goatse hasn't made an appearance. You *really* don't expect to see that. --

Sometimes I think this is why us older IT types think of things like always-on status bars and the full URL in the address bar as essential, and why the new kids in the UX department see it as superfluous.

They're the generation that grew up with URL shorteners as part of the 140-character twitter limit. We were the generation that got goatsed and rickrolled so many times we knew which random combinations of letters would ultimately lead to regret, sometimes before we hovered over the link.

Re:The mighty have fallen

[AmiMoJo]

It's not all that interesting. The severity of this vulnerability is low because since way back in the 2.0 days Android has had ASLR enabled by default in the kernel, which largely mitigates it.

Defensive security measures like ASLR do a lot to mitigate the severity of new exploits, which is why you don't see sudden mass infections the way you used to back in the XP days. Some people love to soil their pants every time some new "critical" exploit comes along, ranting like lunatics that Android/iOS/Windows is horribly insecure and we are about to be hit by a wave of attacks from 1 billion strong botnets etc, but it never happens.

Re:The mighty have fallen

[Joce640k]

the fall of Slashdot.

Yep. I started reading it this week after a year away and it's a shadow of its former self. Zero content.

A USEFUL article summary would have told you to go to the messaging options page on your phone and disable automatic MMS retrieval. That will protect you from the vulnerability.

Instead we have all this useless crap about updating the OS (if you even can!!) and how millions of Android devices are about to be rooted, etc.

Re:The mighty have fallen

[paul_metcalfe]

Yet we keep coming back here.

Re:The mighty have fallen

[TWX]

Well, nothing has managed to fully replace it.

Re:The mighty have fallen

You must be new here.

I ran it

[drinkypoo]

Well, on my Transformer Prime, anyway. The unlock tool doesn't work on it, so I have quite an uphill battle ahead of me upgrading it...

Re:I ran it

[garryknight]

I ran it too and what the app told me wasn't immediately useful. When I checked on Google Play, others had said the same. So I installed Lookout Security's Stagefright detector and it not only told me my devices were vulnerable, it also linked to helpful instructions to change my settings and avoid the problem.

You can install it from here: https://play.google.com/store/...

Lookout's blog page has details about the app and how to make sure your messaging apps are safe from the exploit: https://blog.lookout.com/blog/...

If you use a third-party messaging app you will have to follow the general instructions given on the blog page to find the settings specific to your particular app. I should point out that Textra has already fixed the problem from their end. Here's what the app showed me: http://i.imgur.com/36G7o0t.png

I don't know if it's possible for someone to remotely install the Stagelight vulnerability on your device and then use the device to send exploited messages to everyone on your Contacts list, but if I thought of that then you can bet someone else will.

Re:I ran it

[arglebargle_xiv]

This reveals whether a device is vulnerable, and indicates whether an OS update is needed.

Of course you're never going to get an OS update because your vendor isn't ever going to release one, they're too busy introducing a new model that obsoletes your two-month-old phone and whose main differentiator is that the power button is moved 1/200" to the left. Buy the new model, the problem may be patched. If not, try buying the next model that's coming out in three weeks.

Stagefright Detection Tool

I predict SDTs will spread like wildfire through the live performance community. Exciting news for understudies everywhere!

Re:Stagefright Detection Tool

[TWX]

I predict SDTs will spread like wildfire through the live performance community. Exciting news for understudies everywhere!

I could take this comment so many different directions...

At least the Rocky Horror understudies have been exposed so many times that they're immune!

At least something new will spread through the live performance community, it's been a little dull lately...

Of course it'll spread through understudies. Why do you think they call them understudies? *wink*

Isn't this pointless for the average user?

[timrod]

From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

Re:Isn't this pointless for the average user?

[sew3521]

You can use a program like Textra as your main SMS program. It has security built in to prevent Stagefright.

Re:Isn't this pointless for the average user?

From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

You can disable packet data for the short term until you resolve the issue on your phone. this will make the phone usable (wifi only for data) and text messages still available, but will not use MMS as packet data is required for this.

Re: Isn't this pointless for the average user?

Just disable MMS auto-retrieve instead.

Re:Isn't this pointless for the average user?

[AmiMoJo]

Fortunately the bug isn't that bad. Because of ASLR and other defence mechanisms in place (as far back as V2.0) the damage it can do is fairly limited. Maybe a really slow, really expensive DOS attack, until you call up and ask your carrier to block MMS.

Re: Isn't this pointless for the average user?

[Joce640k]

how?

Re: Isn't this pointless for the average user?

https://duckduckgo.com/?q=disa...

Varies by phone, I did it easily enough on an Adroid 2.4. Most texts come thru but if I suspect a picture, I consider the source first before downloading. Suppose I could confirm via text that they intended to send a pic too.

Google and Samsung announcing ...

[TheGratefulNet]

>Google and Samsung announcing monthly security updates

I call bullshit.

until they take security seriously (which means backporting fixes to old os's in phones) this is worse then bullshit. its acting like a real fix when, in fact, its stil business as usual. phones will not get updates if the vendor wants to force you to re-re-rebuy yet another phone.

when there is a push to keep selling you things that you already have, you will NOT get software updates or support.

the model is broken by design. apple has it mostly right (although they also actively try to force upgrades on hardware by EOLing perfectly good and working hw) but android/google fucked the chicken, here. they decided to make a monolithic system out of the non-monolithic linux base and there's no fixing this broken-by-design idea. vendors are enjoying their wild-west view of things and anything goes! consumer protection is a thing that we used to have 20+ yrs ago, but no one cares about us anymore.

looking to google to help secure things? HA! samsung? DOUBLE HA!

both are jokes when it comes to software QUALITY. such a shame, too, that such rich companies don't give time or energy to things that truly are important to users.

Re:Google and Samsung announcing ...

[TWX]

No one takes security seriously anymore. Everyone's chasing features. End-users simply don't care because there are so many of them that it's impossible to dramatically affect enough of them to build a movement against shoddy software. Everyone knows of someone that had problems yet it's just considered a fact of life.

In the late nineties I dreamed of the smart home, the smart car, etc. I even played with X10 for awhile and had strongly considered integrating a computer into my car in a fashion that modern automobiles have only embraced in the last five or so years. Now that I see how all of that stuff has been integrated I'm very glad that the most advanced home system I have is a 35-year-old wired analog intercom with stations in most of the rooms of the house and the workshop. Everyone wants their system to tie into their servers even though it literally serves no benefit to the owner and opens a giant security hole and dependency on a vendor that to me is just unacceptable.

Re:Google and Samsung announcing ...

[Dutch+Gun]

I think they're being forced into this by mounting public/press pressure. They're going through the same discovery process that creators of PC software, browsers, and operating systems went through a decade ago (or more recently with Adobe and Oracle). If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.

Re:Google and Samsung announcing ...

[0123456]

The problem is, if they push an update to my phone that breaks it, I'm in the shit.

If my PC doesn't work, I can live without it for a few days, or reinstall the OS. If my phone doesn't work, I can... not get urgent messages when I'm on call.

This is why I avoided getting a smartphone until I no longer had a real choice (I need to run some app to generate login passwords).

Re:Google and Samsung announcing ...

[Dutch+Gun]

True, but I haven't seen updates pushed without my consent so far on my phone. Also, I suspect the chance of your phone being completely bricked by a security update is pretty low. You probably have a much better chance of accidentally dropping and breaking it.

Still, I do share your fears about mandatory updates. I think Microsoft's Windows 10 update policy for the consumer version is absolute lunacy. It makes sense from a security standpoint, but it's horrible in terms of stability/control for people who rely on their computers. I really, really hope they re-think this aspect of update policy.

For me, the situation is opposite of yours, in that my computer is absolutely critical for my work, but I could probably live without my phone for a while. Having to reinstall everything would be incredibly disruptive.

Re:Google and Samsung announcing ...

[nnull]

Add to this locked bootloaders and then the second OS Baseband that's completely riddled with bugs and exploits. None of these phones are really secure, even Iphones. Every time I look at my phone I cringe. It annoys the crap out of me that I have no clue what its doing behind the scenes while on a mobile network.

Re:Google and Samsung announcing ...

If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.

Still, I do share your fears about mandatory updates. I think Microsoft's Windows 10 update policy for the consumer version is absolute lunacy. It makes sense from a security standpoint, but it's horrible in terms of stability/control for people who rely on their computers. I really, really hope they re-think this aspect of update policy.

The real problem here isn't the vendors, it's the carriers.

How fucked would we be if PC users could buy PCs with Windows or OS X installed, but could only get security updates by downloading ISP-signed binaries from Comcast or AT&T's "official" repositories?

Re:Google and Samsung announcing ...

[Dutch+Gun]

The real problem here isn't the vendors, it's the carriers.

How fucked would we be if PC users could buy PCs with Windows or OS X installed, but could only get security updates by downloading ISP-signed binaries from Comcast or AT&T's "official" repositories?

Yep, a good point. Apple was the only one with the clout to avoid that nonsense. It's too bad it didn't set a precedent that the rest of the industry followed. Honestly, I think I might be willing to overlook a little bit of collusion if the rest of the manufacturers got together and demanded the same autonomy.

Still, my feeling is that Samsung has probably coordinated with the carriers about more frequent security updates. I don't see any reason they would be resistant to the idea, since it's not all that more troublesome for them.

Re:Google and Samsung announcing ...

[tlhIngan]

Yep, a good point. Apple was the only one with the clout to avoid that nonsense. It's too bad it didn't set a precedent that the rest of the industry followed. Honestly, I think I might be willing to overlook a little bit of collusion if the rest of the manufacturers got together and demanded the same autonomy.

Still, my feeling is that Samsung has probably coordinated with the carriers about more frequent security updates. I don't see any reason they would be resistant to the idea, since it's not all that more troublesome for them.

The problem is, the manufacturers don't want the autonomy. Apple could do it because they basically told AT&T "Our way or the highway". AT&T would love to say "highway" but they saw the crowd of Apple folks who just want to buy the phone.

it's the reason all the other carriers quickly acquiesced to Apple as well - they saw AT&T's network problems not as a failure, but an opportunity - if there are so many iPhone users that they're collapsing AT&T's network, then they want in. Verizon's first iPhone was very unique - it worked only on Verizon, yet had absolutely no Verizon branding. And Verizon's apps were forced into the App Store process.

Plus, Apple has a retail distribution network that's pretty effective. Most handset vendors don't have that - and they need to convince Best Buy and other companies like that to carry their product.

In short, Apple knew they had a fanbase that would literally force a carrier's hand, a retail distribution network that would eagerly carry their phones, and could exploit this to force carriers to take the iPhone.

As for Samsung - it's only for a few phones. Remember, Samsung released 2-3 new phone models a week in 2014 (and just over 1 new tablet a week) - something around 130 new phones and 54-ish tablets. I'm pretty certain only the high end flagships like the S6/Edge and Note will probably get rolling releases. Everyone else is screwed.

Ethical Hacking

[SuperKendall]

I'm not saying they should have done it, because of legal exposure, but...

It would have been pretty cool if the Stagefright detection app, also used the vulnerability to patch your system in some way.

I wonder how that would have been received, if it had all worked perfectly and not screwed something up.

Re:Ethical Hacking

Funny thing, I also thought about an app using the vulnerability to patch it.
Legal issues might be solved if the user consents to their phone being patched.

BUT:
Isn't there something about the ciritical parts of Android's filesystem usually being mounted read-only?
And I also seem to remember that Stagefright does not necessarily grant root privileges, especially on more recent phones.
So I'm not sure if patching the affected library is really an option, given that
a) the relevant directory might not be writable at all
b) the compromised process might not have permissions to write there, even if it's writable in principle

Corrections to my partial/assumed knowledge are very welcome!

Re:Ethical Hacking

[swillden]

The idea of using the vulnerability to patch the vulnerability comes up pretty regularly, but it's just too risky. The Android ecosystem is diverse, which means that the "patch attack" would have to be properly customized for every device (which also affects attackers, BTW), plus the fact that a non-trivial number of devices are rooted and modified by the users means that there is a subset of devices for which the patch attack cannot be properly customized. Screwing up a patch attack could brick devices, so getting it exactly right is critical.

Then there's the fact that on Android ICS and newer devices this bug is very hard to exploit due to ASLR. You can easily generate a crash in the mediaserver, but to do more than that you need to figure out the address of something else you can tweak to obtain root access. ASLR makes knowing an address impossible, so you just have to try a bunch of random locations until something works... which means you have to send hundreds or thousands of bad MMS messages and there's a non-zero chance that something you tweak may do some damage. Attackers don't care if they screw up some percentage of the devices they target, but patchers do. Oh, and the hundreds/thousands of bad MMS messages are likely to freak out the users... unless you announce to the world what you're doing, which would make attackers' lives easier by convincing users not to freak out when they're under attack.

Then there's the fact that stagefright by itself doesn't give you root access, and even if you do get root access, that still isn't enough to actually update the system image. You need a kernel-level exploit to be able to remount the system image as read-write so you can fix it. This means that the attack patch would actually need a kernel-level exploit chain in order to patch the bug; stagefright is just the first step. (Note that it's also just the first step for an attacker, since mediaserver probably doesn't give them all the access they want, but they're probably happy with an exploit chain that leads to root compromise; they don't need kernel compromise since they probably don't care about installing a backdoor that persists across reboots.)

And those are just some of the technical challenges. There are also serious legal issues which are probably showstoppers (IANAL). Your intentions may be pure, but that doesn't always matter in court.

(Disclosure: I'm a member of Google's Android security team but I'm not speaking in an official capacity. These are my own opinions.)

no support for me either ...

Using a 2 year old NEC Android phone which is totally locked down with no way to update it myseld. =(
And NEC has not provided a single update once.....
Google should provide a tool which would allow users to update their phones themselves instead for having to wait for the manufacturer to do something if those ba$tard$ are willing to do anything at all....

Re:no support for me either ...

[drinkypoo]

Google should provide a tool which would allow users to update their phones themselves instead for having to wait for the manufacturer to do something if those ba$tard$ are willing to do anything at all...

That is not in their power. The unlock and flash tools are held by the makers of the chipset and/or the makers of the devices. So for example the tegra flash tools come from nvidia but the actual unlock tools come from the vendor, in my case Asus... and Asus made a crap unlock tool that tries to verify that you're using it on an original untampered device. It doesn't work on all the bootloader versions they ever shipped, either. Anyone who got the JB OTA update has only a mediocre shot at it working. Anyone who has had their tablet serviced under warranty, likewise. Pretty pathetic. Really impaired my opinion of Asus.

Re: no support for me either ...

[Threni]

Can't they use Google Play Services to roll out a fix to the various files which make up Android? If not, shouldn't such a tool be part of the next fix they roll out? Is there some problem - security or other- to adding/changing/removing system files, assuming the operation/process is signed?

Re: no support for me either ...

[drinkypoo]

Can't they use Google Play Services to roll out a fix to the various files which make up Android?

In a word, no. The only reason Google can make so many updates by updating Google Play Services is that they have moved more and more of the core functionality into there. However, libstagefright is not part of that functionality, so they can't update it by updating Play.

For locked, unlockable devices, only the vendors realistically have the ability to produce a patch.

Re: no support for me either ...

Also while it at first sounds great to be able to update everything via Google Play Services by moving the core functionality there, what Google actually did was basically to "close" all the existing open source fuctionality by letting the open source version out to rot and release newer versions only as closed source apps.

Some interesting read which gives some background on this:
http://arstechnica.com/gadgets/2013/10/googles-iron-grip-on-android-controlling-open-source-by-any-means-necessary/

They could have at least open sourced some basic functionality like the "swiping" input on the Android keyboard (which is a closed source component, not part of AOSP)

Re: no support for me either ...

[Threni]

But why can't they update *everything* using it? If they can't, why can't they introduce such a feature? Microsoft can update everything on their patch-tuesdays updates. Why can't Google? Google knows how broken and hopeless the upgrade situation is with android. Fewer than 1% are on the latest version (5.1) and most are on a 2+ year old version. Can you imagine the response if Microsoft said only users of Windows 10 were going to get security fixes when everyone's on xp and 7?

Yeah...no thanks.

I'm not going to install a tool to see if I have a vulnerability, which could potentially cause some douche nozzle to get root on my phone. No thanks. I'd rather take my chances. I'll do a factory reset after the patch is available for my phone anyways.

Re:frist post!!!

[davester666]

Finally, a first post that makes some sense.

End of Rolling Releases

[ThePhilips]

I for once welcome the end of the Google's rolling releases stupidity.

Finally, Android is getting the security updates, as any other mature OS did for literally decades now.

App requires phone number/id/accounts privileges!

What the title says. Thanks, I'll pass!

Textra

[neo-mkrey]

My texting app, Textra, updated last weekend with builtin Stagefright protection.

Rooting

Looking at the demonstration video, it appears that it is very easy to root the phone. Much easier than more "traditional" rooting techniques with boot loaders and ROMS, which are more trouble than I care to go through, especially if it's going to break Knox and my warranty switch.

How can I use this vulnerability to gain root for myself?

mitigation

[emil]

On a stock, non-rooted phone you can disable MMS to provide some degree of protection from this particular exploit.

Although unconfirmed, there are several stagefright booleans in /system/build.prop on some phones. Setting them to false might provide some additional protection. Root and a reasonable text editor will be required (i.e., busybox vi), and you should be able to recover from a boot loop before attempting this modification.