Google Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge

MojoKid writes: Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. The team gave themselves a week to root out vulnerabilities. To keep everyone sharp, the researchers made a contest out of it, pitting the North American and European participants against each other. Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.

File...

System... ? Never mind.

The winner?

[paavo512]

to keep everyone sharp, the researchers made a contest out of it pitting the North American and European participants against each other.

So, who won?

Re:The winner?

[Alwin+Henseler]

Those end-users that are 'lucky' enough to actually receive updates once in a while.

That is THE problem with Android right now imho: leaving updates to the OS to 3rd parties that are just interested in selling a phone or call/SMS/data package, is a totally broken model. Those 3rd parties should be required to provide working drivers for the hardware in their phone, in source form, and whoever maintains the OS (Google I suppose, or maybe some industry co-operation) should take it from there. Including the distribution of updates.

Those 3rd parties have too big a tendency to sell the phone & walk away. That is easy to foresee, and has been proven time and time again. So you simply CAN NOT rely on phone makers or providers to supply updates. Period. Trying to fix the problem when it's too late, doesn't help much: even if Google changes Android update model to how it should be, that still leaves hundreds of millions of phones out there which will never ever see an update again, but still be used for a long time to come.

Re:The winner?

Except that gaining root just got 1000x harder. Fuck those guys for that.

Re:The winner?

[CastrTroy]

This is the main reason I'm not on Android anymore. The last Android phone I bought was released 6 months before Android 4 came out. But it never received a single update. It was stuck on Android 2.3, and I used it for years like that.

I switched to Windows phone this time around, because it seems like it's much more likely to get updates going forward. The only other option is iPhone, but I don't like the idea of spending $700 on a phone that only comes with 16 GB of storage and can't be upgraded using SD Cards.

Re:The winner?

[IamTheRealMike]

Well, did you read the article?

Samsung have patched nearly all the bugs in the October online update and the rest will be done in this months update. So your anger is misplaced: Samsung have joined the monthly update cycle Google is pushing. I see no reason to believe the Nexus team would be doing things any faster.

Re:The winner?

[nevermore94]

Exactly. Being able to root my phone is very important to me, but full on ROMing is not. Currently the only reliable way to be able to root a phone without using some obscure exploit is to be able to unlock the bootloader and go from there. I wish Android would just support an official and highly secured way of getting root access (2 key authentication or something even better) to allow us to run a few root apps such as Titanium Backup and a proxy app that lets me connect to my company's network without having to either get one of the few unlockable phones, or rely on some exploit that is likely to be fixed.

Re:The winner?

[iampiti]

Root is supposed to be impossible to get in Android phones. What you're complaining about is fixing of security bugs (yes, I know you know but this is worth being underlined).
How it should be is that you could get to be root in Android as a system feature not because of security bugs, but we know Google wouldn't like that. I still think a user should be able to do 99% of things that require root like running a firewall or mounting the system partition read/write so that you can delete apps which you'll never use but are stored there.

Re:The winner?

[KGIII]

Thoughts on the Windows phone? I'm seriously considering switching and the Ubuntu phone doesn't appear like it's an option/carrier supported. Four months into my new phone and nary one update except for the one that came down the pipes when I first got it. I hear good things about the Windows 10 phone but I hear those from people whom I'd not classify as technical in nature. Getting input from someone with a grasp of tech and the variable benefits and negatives would be nice - if you have time and are so inclined.

Re:The winner?

[CastrTroy]

The only problem that I have is that certain apps don't exist. Battery life is great. OS is quick and stable. Everything feels nicely integrated. It's not like there's anything I find that I can't do, because there's other apps that accomplish the same functionality. But if you're the kind of person who can't live without specific sevices, like SnapChat, then you aren't going to like it.

Re:The winner?

[KGIII]

Thanks! That's exactly the kind of person that I am not. I don't really use any apps other than a browser, file manager, etc... I don't do social media (don't have any accounts) and I'd like to be able to use it as a phone and a web browser. I might like to check my home security (I can do that through a browser) and use VNC to connect to a home computer - which can also be done through a browser, if I put some effort into it. I can also just get the TightVNC client source and see if it compiles. I don't think the phones have the same CPU so I'd have to compile it, I'm guessing. That shouldn't be too tough. It's not even a requirement, just a nice feature.

Thanks, again. I'll start taking a look at them a little more. US Cellular's pretty cool so all I need to do is find a store and I'll be able to switch. LOL Make sure you call Microsoft and tell them you want a commission. That's good enough for me to try it, at least. I'm *that* tired of Android and I don't feel like trying to go to the Apple ecosystem - I'm not sure how well those interact with Linux. Then again, I don't do a whole lot of interaction as it stands - like transferring files, using it as a hotspot, etc...

Re:The winner?

[lexman098]

Those 3rd parties should be required to provide working drivers for the hardware in their phone, in source form, and whoever maintains the OS (Google I suppose, or maybe some industry co-operation) should take it from there.

Are you advocating that Google make their OS inherently compatible with all manufacturers that give them the source to their drivers or that the manufacturer should make the source to their drivers public? Neither of those are ever going to happen.

The situation is a quagmire of Google not having control of the hardware while most manufacturers don't care to update the software. Apple of course gets around this by controlling both, but that's not exactly desirable either from my standpoint. The same problem exists with Windows where a new version (XP->Vista/7, 7->8/10) causes drivers to break and manufacturers are required to update their software for the new OS.

The solution is actually pretty simple. Either A) make your purchasing decision based on the *current* feature set and treat any updates as gravy or B) make sure to purchase from a manufacturer with a good track record of releasing updates.

Re:The winner?

[unity]

" I might like to check my home security (I can do that through a browser) and use VNC to connect to a home computer - which can also be done through a browser, if I put some effort into it. I can also just get the TightVNC client source and see if it compiles."

There are existing VNC clients for windows phone.
I don't think the "app gap" is really much of a problem, there hasn't really been a situation where I couldn't do what I wanted with the phone. But even if it is a real problem, I think it will disappear once win10 is officially released for the phone and the universal apps dominate the WP ecosystem. I'm partial to my Lumia 1520.

Re:The winner?

[KGIII]

Thanks! I'm certainly going to buy one at this point. I'm not too picky. I'm just tired of the Android crap - the insecurity is just vile and I don't really want to have to play with keeping yet another device in sync unless it's trivially easy and the cell co doesn't seem to want to do that. With Windows, I should be able to just update the damned thing. I really want an Ubuntu phone but that doesn't appear to be happening any time soon.

Heh... I'm buying a Windows device - on purpose, willingly, and kind of eagerly. WTF?

And in other news...

[arglebargle_xiv]

... other Android phone vendors have also responded to these vulnerabilities by informing their customers to keep buying new phones every few months and checking whether they contain updated firmware that may fix some of the problems.

(Dedicated Android user here, but damn, sometimes I envy the iOS blue pill).

System

It's a directory traversal bug that allows a file to be written as a system.

That should read "as the system user".

Re:System

The 'system' user? Not the 'systemd' user?

As if Samsung will give a shit.

[cyber-vandal]

They're hopeless at providing updates.

Re:As if Samsung will give a shit.

Samsung have no control over telco update deployment. And if you bothered to read, you'd have seen many were fixed long before these "hackers" found them, which means the "hackers" merely looked at the fixes to create an exploit.

Re: As if Samsung will give a shit.

[cyber-vandal]

I was a Samsung customer. I have first hand experience of their uselessness. The telco here in the UK wasn't the issue. Samsung just had no interest in providing any updates.

Re: As if Samsung will give a shit.

I was a Samsung customer. I have first hand experience of their uselessness. The telco here in the UK wasn't the issue. Samsung just had no interest in providing any updates.

How do you know the Telco wasn't the issue? Samsung has provided many updates that various Telcos have not provided to their customers in their network. You know for sure that your Telco never received an update from Samsung that they didn't pass on to their customers?

If you follow the web sites that follow updates from Samsung (and others) you will see that customers of various Telcos get the updates at different times, or not at all.

Re:As if Samsung will give a shit.

[drinkypoo]

Samsung have no control over telco update deployment.

Telco update deployment is a red herring. I can just wander over the Nexus download page and grab a new system image for any Nexus device, and I don't need my carrier's permission. What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

Re:As if Samsung will give a shit.

[Goaway]

Samsung have no control over telco update deployment.

Bullshit. They can make sure the telcos are contractually obligated to publish timely updates.

They don't, because they don't give a shit.

Re:As if Samsung will give a shit.

Samsung also proves time and time again to be hopeless at security. Their customizations on top of Android tend to fair much worse than pure Android devices like Nexus'. Avoid at all costs.

Re:As if Samsung will give a shit.

[acoustix]

Bullshit. They can make sure the telcos are contractually obligated to publish timely updates.

They don't, because they don't give a shit.

I wish that were true, but what leverage do the handset makers have against the telcos? Apple was the only one so far to beat the telcos and get direct access to update their devices. But what can Samsung, HTC, LG, and others do about it? Their market share is smaller and they cannot throw their weight around to force the telcos.

I hate the idea of additional government regulations, but maybe the FCC needs to mandate that the carriers don't have any control over the software updates. My landline provider has no say in my phone system. My ISP has no say on the devices I use on their network. Why does Verizon or AT&T?

Re:As if Samsung will give a shit.

[fustakrakich]

They don't, because they don't give a shit.

They don't have to. The customers don't give a shit either. They just keep on buying anyway.

Re:As if Samsung will give a shit.

[PincushionMan]

What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

In a word: TouchWiz.
TouchWiz is the ROM atop the Android ROM on Samsung phones. It provides a customized UI, custom lock screens, customized dialer, contacts, alarms, settings, etc... That's why they require Dual core or better and loads of RAM. It must take a cubic butt-ton of effort to get that crud to run over the top of Android.

Personal experience: I had a dual core S3 (US variant), and IMHO, it was awful. It stuttered when unlocking, frequently dropped calls, apps wouldn't install or run. Phone updates were infuriatingly infrequent. I began to think that I made a huge mistake picking Android over Apple. I gave Android one last try with CyanogenMod. Phone became great. Apps would install and run reliably, no stutter on unlock, and reliable updates (depending if they are unified or hardware specific today). Only complaint I had was the Camera - kept crashing which would require a reboot for further camera access, although 3rd party camera apps made the camera crash less often. That's all fixed with Lollipop. Rumor mill has it that it will even run Marshmallow at some date in the future. There's at least one custom Marshmallow ROM floating around out there right now.

Re:As if Samsung will give a shit.

[drinkypoo]

Apple was the only one so far to beat the telcos and get direct access to update their devices.

That's not true. You can get factory system images for Nexus devices directly from Google. In my experience the OTAs for carrier-agnostic devices may precede their presence there, but only briefly. Granted, there are other problems with Nexus devices, and I went Moto with my last phone instead...

Re:As if Samsung will give a shit.

[IamTheRealMike]

Traditionally phones have been subsidised by the carrier. What this means is that from the users perspective, they got the phone from the carrier. The carrier has the tech support infrastructure and the customer relationship, even if it says Samsung or Sony or whatever on the box. That means if something goes wrong .... the customer calls the telco. Not Samsung.

As a results of this, the OEM's customer is actually the carriers, not the end users. And carriers learned the hard way in the 1990's and for much of the 2000's that OEMS suck at software and have a habit of making firmwares that are bug ridden pieces of crap. And never updating them.

It's popular to blame the carriers for the slow pace of firmware updates, and surely, they do share some of the blame. They should have sorted out their internal processes a long time ago. The reason they didn't is simply:

1. The carrier QA processes do in fact find a lot of bugs

2. Most OEMs have historically simply not done security patches, and when they did do firmware revs, actually introduced new bugs with the updates.

So that's why carriers insist on re-qualifying firmwares and why it takes forever. It isn't because they're diabolically evil or anything (at least not in most cases).

Now things are getting better. Samsung took these security reports from Google, fixed them, and pushed out the fixes with the new monthly online updates they're doing. Carriers are taking a risk by doing this: if an update goes wrong, it'll be them taking the heat from customers and Samsung only secondarily. But that's the new world they're playing in.

Re: As if Samsung will give a shit.

[cyber-vandal]

Because my phone was carrier free.

Re:As if Samsung will give a shit.

[iampiti]

What prevents Samsung from doing the same?

Nothing except their own desire to sell you their newer phones. The telcos have very little to do with it since they still stop releasing updates for the unbranded version of their phones after a year or two after release.
I guess they just don't see it as a money-generating move.

Re:As if Samsung will give a shit.

[myowntrueself]

<quote><p>What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?</p></quote>

<p>In a word: <b>TouchWiz</b>.
    TouchWiz is the ROM atop the Android ROM on Samsung phones. It provides a customized UI, custom lock screens, customized dialer, contacts, alarms, settings, etc... That's why they require Dual core or better and loads of RAM. It must take a cubic butt-ton of effort to get that crud to run over the top of Android.
</p></quote>

I don't see why TouchWiz stops Samsung from deploying OTA updates to its phones independent of the telcos/carriers. OTA updates are really NOTHING to do with the carriers at all.

Re: As if Samsung will give a shit.

Because my phone was carrier free.

And you can't find updates directly from Samsung? Which Samsung model do you have that never got any upgrades?

I've had multiple Samsung models, and never experienced that any of them had zero updates. If you are talking about not getting new upgrades for long enough, for enough years, then I agree with you, especially for certain models.

But that is not what you said, it would be very interesting to hear which Samsung model that never had any updates available at all.

Re:As if Samsung will give a shit.

[Karlt1]

Telco update deployment is a red herring. I can just wander over the Nexus download page and grab a new system image for any Nexus device, and I don't need my carrier's permission. What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

Wow, grab a new system image that erases your phone and all of its contents and only the apps will be restored but not the data for the apps......

Re: As if Samsung will give a shit.

[cyber-vandal]

It was a Note 2 and I didn't say it didn't get any updates I said it didn't get enough updates. One 4.4.2 update in 2 years and possibly one other while numerous security vulnerabilities went unpatched before and after that update is shocking. Stop getting hysterical just because I'm telling you my actual experience. I own a Nexus 6 now which gets updated regularly because Google aren't as incompetent as Samsung.

Re: As if Samsung will give a shit.

It was a Note 2 and I didn't say it didn't get any updates I said it didn't get enough updates. One 4.4.2 update in 2 years and possibly one other while numerous security vulnerabilities went unpatched before and after that update is shocking. Stop getting hysterical just because I'm telling you my actual experience. I own a Nexus 6 now which gets updated regularly because Google aren't as incompetent as Samsung.

Nobody is hysterical, but you said "Samsung just had no interest in providing any updates." which sounded very strange.

And, btw, Android 5.0 is available for Samsung Note 2.

Re: As if Samsung will give a shit.

[cyber-vandal]

Not in the UK it isn't.

Re: As if Samsung will give a shit.

Not in the UK it isn't.

Which is probably back to the UK carriers not wanting it, since the upgrade is available in multiple markets. That Samsung shouldn't let carriers have this power I fully agree on. There are guides on how to install it anyway, but agree that it shouldn't be necessary.

Re: As if Samsung will give a shit.

[cyber-vandal]

Or Samsung could've decided that themselves. I don't know why you're so desperate to defend them. Their uselessness at providing updates isn't something I just made up.

RTFA

[WSOGMM]

What I wanna know is, which team won the competition?

"as a system"?

[wonkey_monkey]

allows a file to be written as a system

Whut?

Re:"as a system"?

In Android parlance this means "as a practically-root"

Re:"as a system"?

[SpectreBlofeld]

I *assume* that means that it allowed files to be written to the normally read-only system partition.

Re:"as a system"?

[wonkey_monkey]

You'd think so, but no. It...

...allows an attacker to write a controlled file to an arbitrary path as the system user.

This.

[tlambert]

Samsung have no control over telco update deployment. And if you bothered to read, you'd have seen many were fixed long before these "hackers" found them, which means the "hackers" merely looked at the fixes to create an exploit.

This.

The bug hunting, and the 90 day public disclosure window for the bugs ... this is "version shaming", in order to try to get the partners to update their firmware, and to get the telcos to deploy the updates.

It generally costs a partner the same to do a new version of Android as it did to do the original version of Android. This is because most of the code changes needed to port the software to a device in the first place, and most of the partner productization changes, are not upstreamed back into the Android main line tree. They weren't put there in the first place, since Google and the partners have non-disclosure agreements in place so that Samsung doesn't get to know what another Android phone maker is about to release, and they don't know what Samsung is about to release.

This makes the process very messy, and it makes updating the version actually running on the phone very very messy, and if a kernel change is necessary because the user space uses new or altered user/kernel interfaces, it makes things even more difficult, since it means kernel changes which have to be upstreamed as well, and that usually means making them available to, but not "cleaning up to the point of acceptability to upstream Linux" for those.

The telco business model has been to get you locked into a 2 year contract at initial signup, and then cause you to re-up the contract every 18 months by offering a new phone with the new OS to get the new features, and to be compatible with the new "store" offerings in apps, in order to *keep* you perpetually locked into the two year window.

The partner model has been to create low margin OEM phones, with the understanding that they will make up for the low margin on volume, by having a rolling inventory of the new model going into those 18 month renewal window pipeline themselves.

In both cases, these are not "buy once, use forever" devices. Neither are iPhones (try to find a 2G service area on either coast for AT&T to use the first generation iPhone; AT&T is actively ripping out 2G capacity, since that's the only way to force someone off a grandfathered unlimited data contract).

Practically speaking, it's in no one's interest, but Google, since they've been eating the bad press on the update situation whenever there's a bug found, and a security flaw is generally the most convenient can opener. Effectively they are using this as judo, to try and version shame both the partners and the telcos: the partners into the development effort for an update, and the telco for the deployment of those updates.

In other words, they are trying to mimic the Apple model, without the hardware or iOS source base homogeneity that allows it to work.

It will be quite interesting to see how long this goes on before something cracks. My personal prediction on what will crack is that the telcos will start offering updated phones earlier, with a prorated valuation on the old phones, and roll the costs into the hardware costs in the first place, and thus into the monthly billing cost.

Re:This.

Meanwhile, the unbranded telco-free Australian firmware for the Galaxy S4 is behind the rest of the world - as far as I'm aware, every country except Australia and Colombia are on Lollipop (carriers included), but we're stuck on KitKat. The carriers certainly aren't the cause of that.

Re: This.

[cyber-vandal]

Yeah it's all the carriers' fault. Samsung are perfect in every way. Except they aren't. I'm never buying a Samsung again because they're poor quality, filled with bloatware and security bugs go unfixed. I had a carrier-free Note 2 and yet the 4.4 update took an eternity to come out. Meanwhile they didn't bother to fix any of the security bugs in their 4.2 firmware or any of the others in the 4.4 after it was finally released. No danger of getting Lollipop for it either. I've now got a Nexus 6 that is updated regularly. Fuck Samsung and fuck all you weirdo Samsung fanbois.

Re:This.

Samsung defence force activate!

Form of, my favourite multinational corp can do no wrong!

Re:This.

Well in Australia you have to turn all of the variables upside down and compile in a counter clockwise fashion. That takes time and money!

Re: This.

I just wish my note 2014 would update. It downloads, reboots, starts the update and then fails. At least when it fails it rolls back.

Re: This.

That happaned to me before, but that's because I filled up the internal memory so that less than 600MB was free. Usually they'll tell you it needs 2-3 GB free.

Re: This.

[tlambert]

Yeah it's all the carriers' fault. Samsung are perfect in every way. Except they aren't. I'm never buying a Samsung again because they're poor quality, filled with bloatware and security bugs go unfixed.

I'm confused.

Did you simply fail to understand the part where I stated that the partner model was to ship many units at low margin, rather than a smaller number of units at higher margin? The Android partners, including Samsung, are also to blame.

Even if this is largely driven by their customers being the telcos, rather than the end users, it's Samsung's choice as to which market they want to participate in (the end users do not directly pay for the phones, except in an amortized way, and they will pay that fee regardless of whether or not they get a new phone in exchange for paying it).

Also, partner updates are trapped behind source base non-homgeneity -- this is partly the partner's fault, since they want to maintain secrecy -- and partly Google's fault, for not insisting that all changes to build a platform image be upstreamed to the Android source base -- and partly Linux's fault, for not taking externally generated platform support patches and beating on them into shape to make them acceptable to integrate, rather than expecting the people providing the support to do it for them. You could even blame git's architecture, somewhat, for not supporting security partitioning of versions by user ID, so that two companies secrets could live in the same repository, yet remain secret.

So plenty of economically driven blame to go around, here.

Re:This.

[KGIII]

Well, duh, you just have to take your phone to Europe. ;-) It might be cheaper than an iPhone.

Actually, my daughter's an iHead. She's got an iPhone. I've not played with the latest one, that she has, but the last one was kind of spiffy. She's also insane. The minute a new model drops, she buys it. She then sells her old one. I'm not certain but I do believe she goes for the one with the most memory and, as said, they seem to be, legitimately, good.

Re:lol

hotforhardware, help(crap)-netsecurity, threatpost, the stack and itworld.... these sites need to be banned from slashdot.... they're the biggest spammers and their articles are often incomplete or 5 paragraphs long.... low SEO quality, just for ad revenue

Android

[sociocapitalist]

Other than buying Nexus devices, the best way to 'secure' an Android phone appears to be to keep nothing of value on it.

I'm considering returning a Marshall phone I just bought because (a) it's still vulnerable to Stagefreight even though it's a phone that was brought to market within the last thirty days and (b) I have zero confidence that updates will ever make this a reasonably secure phone.

A shame really as I like the phone and the sound quality is better than any other phone.

Samsung to hackers: Thanks. You're all under arre

[mnemotronic]

Under the TPP, Google's contest would be criminal activity.

VirginMobile pushes updates...

but my bare bone LG cannot update due to insufficient space even though there is .5G of memory available!