Slashdot Mirror

← Back to Stories (view on slashdot.org)

Certifi-gate: Another Huge Android Vulnerability

Posted by Soulskill on from the don't-come-around-here-with-your-gates dept.

An anonymous reader writes: Security research firm Check Point has released information about a new vulnerability called Certifi-gate, which they say compromises the security of hundreds of millions of Android devices. The flaw exists within the mobile Remote Support Tools, which are intended to enable screen sharing and simulated taps for tech support purposes. Unfortunately, the way mRSTs validate the remote operator is easy to exploit. Because the software is designed to allow both monitoring of a device's screen and simulated input, the potential for misuse is quite serious. The flaw was disclosed to manufacturers a month ago. HTC, for one, has confirmed it is already starting to roll out a fix.

12 of 69 comments (clear)

  1. Enough by nmb3000 · · Score: 4, Insightful

    Certifi-gate

    Okay, y'all have had your fun. Enough of this bullshit.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
    1. Re:Enough by Adriax · · Score: 2

      Still waiting for "NAND-Gate", where some big flash memory manufacture is caught using another companies designs or something.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    2. Re:Enough by DustPuppySnr · · Score: 2

      https://www.youtube.com/watch?...

    3. Re:Enough by GNious · · Score: 3, Funny

      yeah, with all the -gate names, it's as if they're having a gate-athon.

  2. Confused by koan · · Score: 3, Insightful

    Why is it HTC's responsibility to patch it? Why not a global patch from Android.

    In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen.
    Why aren't software corps held to a similar standard if security researchers have informed them of the bug.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Confused by timrod · · Score: 4, Informative

      It's not HTC's responsibility to patch all devices. Each manufacturer has a different hardware configuration and usually runs their own "flavor" of Android - HTC's version of Android is different from Samsung's, which is different from Google's. It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

      HTC is merely saying "We're stepping up as soon as possible to patch devices that originated from us, starting with the HTC One M9."

  3. Re:I wish by Gaygirlie · · Score: 3, Interesting

    Have you checked if there are any custom ROMs for it on XDA-forums? I got fed up with these vulnerabilities myself yesterday, what with LG taking a minimum of 6 months to even consider doing anything, and wiped my LG G2 and installed Cyanogenmod on it; no bloat, much slicker, and both this and the Stagefright - bugs have been fixed. I have Cyanogenmod 12 on my aging Galaxy Note, too, that I just have hanging around as a replacement phone should something happen to my G2: Samsung never updated the Note beyond Kitkat and Samsung's own firmware was rife with bugs and god damn that Touchwiz slowed things down, but, again, replacing the official ROM made the device feel like new.

  4. That is confusing, who is "Android"? by SuperKendall · · Score: 4, Insightful

    Why is it HTC's responsibility to patch it? Why not a global patch from Android.

    Who is "Android"? Do you mean Google?

    If so, why should they be responsible - after all, HTC is the one who took a build of Android and customized it for your phone.

    In fact between HTC and Google, really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

    The problem is of course, that none of the phone makers are serious about security at all (they are making noises, but I'll bet it's just to placate the howling internet). So not only do they not patch Android themselves, they don't want to do the work to even fold in the fixes Google makes.

    What would be refreshing is to see a handset maker that really took ownership of the whole system. Sure they would build on Android to start, but they could do so much more - they could have their own security QA team looking for problems, fixing what they found and responding to security vulnerabilities even faster than Google.

    They could contribute that work back to Google even, safe in the knowledge it wouldn't even help competitors since they are unable to incorperate Android patches.

    Samsung *could* be that company. It's a mystery to me why they are not... they also are making noises about being serious about security but there has been so much hot air in the past around Google and phone makers cooperating "for real" that I refuse to take any statement at face value.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:That is confusing, who is "Android"? by swillden · · Score: 5, Informative

      really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

      It's even more than that, since the security vulnerability in this case was added by HTC. There are no remote support tools in the base Android platform, and therefore no insecure remote support tools.

      No Nexus devices have this problem.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Android update weakness by mcrbids · · Score: 5, Insightful

    I have a pretty decent phone. A flagship phone that's now 3 years old, the Moto Razr Maxx HD. It's a bit long in the tooth, but it still has a sharp, bright screen, decent battery life, and while it's not lightning fast, it does everything I need smoothly and comfortably.

    But Moto doesn't sell it anymore. I'm pretty sure it's EOL anymore, which probably makes me SOL.

    But it keeps chugging on, and as a consumer, shorting of reading tech sites like /., I would never know that there's any problem at all. Meanwhile, my security keys are being lifted, my email passwords are stolen, and somebody's posting Donkey pictures on my Facebook account and I have no idea how or why.

    But, even if I *weren't* SOL, there's the issue that, while my Linux laptop gets updated daily, and my Windows laptop gets updated weekly, my phone gets updated (perhaps) a few times per year.

    See the problem, yet? We're seeing just the bare beginning.

    The bright boys at Google need to figure out a way to update Android and bypass the carriers, or at least, provide a side-channel way to roll out security updates, or their whole ecosystem will collapse in an orgy of viruses and malware.

    For my next phone, I just might make sure I can run Cyanogenmod on it, if for no other reason than the hope of getting security updates in a reasonable timeframe.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Android update weakness by gTsiros · · Score: 4, Informative

      You think you have it bad? My barely two year old xperia z ultra, another "flagship", has already been pretty much abandoned, after releasing a half-assed update to lollipop with many bugs introduced which make you question if they even *have* a QA department (tapping the alarm icon in the status bar, for example, fails to open the alarm app... as it does in kk), I assume to please the masses.

      Their "user forums" are filled with idiots who either can't use their phones or poor sods who face actual problems but more often than not are asked to do a factory reset.

      Android had such potential, but google knly needs it to be popular for ad views thus it has become a shit operating system, development cycle and "ecosystem" in general.

      --
      Looking for people to chat about multicopters, coding, music. skype: gtsiros
  6. More line an advertisement than a factual story! by Dr_Marvin_Monroe · · Score: 2

    This should prob. have been an interstitial ad instead of a story!
    What exactly is going on? Is it a problem with the installed certificates? Weakness in the tools? Which ones are effective and which are weak? How can I determine if my Android has this crapware installed?

    How did the moderators decide to let this story through?

    The links provide nothing more than a security scanner! There are no specifics other than 'Google is working with OEMs...'. So what? How about providing some information I can use....not ads that are designed to look like news stories.