Slashdot Mirror

← Back to Stories (view on slashdot.org)

Certifi-gate: Another Huge Android Vulnerability

Posted by Soulskill on from the don't-come-around-here-with-your-gates dept.

An anonymous reader writes: Security research firm Check Point has released information about a new vulnerability called Certifi-gate, which they say compromises the security of hundreds of millions of Android devices. The flaw exists within the mobile Remote Support Tools, which are intended to enable screen sharing and simulated taps for tech support purposes. Unfortunately, the way mRSTs validate the remote operator is easy to exploit. Because the software is designed to allow both monitoring of a device's screen and simulated input, the potential for misuse is quite serious. The flaw was disclosed to manufacturers a month ago. HTC, for one, has confirmed it is already starting to roll out a fix.

2 of 69 comments (clear)

  1. Android update weakness by mcrbids · · Score: 5, Insightful

    I have a pretty decent phone. A flagship phone that's now 3 years old, the Moto Razr Maxx HD. It's a bit long in the tooth, but it still has a sharp, bright screen, decent battery life, and while it's not lightning fast, it does everything I need smoothly and comfortably.

    But Moto doesn't sell it anymore. I'm pretty sure it's EOL anymore, which probably makes me SOL.

    But it keeps chugging on, and as a consumer, shorting of reading tech sites like /., I would never know that there's any problem at all. Meanwhile, my security keys are being lifted, my email passwords are stolen, and somebody's posting Donkey pictures on my Facebook account and I have no idea how or why.

    But, even if I *weren't* SOL, there's the issue that, while my Linux laptop gets updated daily, and my Windows laptop gets updated weekly, my phone gets updated (perhaps) a few times per year.

    See the problem, yet? We're seeing just the bare beginning.

    The bright boys at Google need to figure out a way to update Android and bypass the carriers, or at least, provide a side-channel way to roll out security updates, or their whole ecosystem will collapse in an orgy of viruses and malware.

    For my next phone, I just might make sure I can run Cyanogenmod on it, if for no other reason than the hope of getting security updates in a reasonable timeframe.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. Re:That is confusing, who is "Android"? by swillden · · Score: 5, Informative

    really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

    It's even more than that, since the security vulnerability in this case was added by HTC. There are no remote support tools in the base Android platform, and therefore no insecure remote support tools.

    No Nexus devices have this problem.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.