Google Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge

MojoKid writes: Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. The team gave themselves a week to root out vulnerabilities. To keep everyone sharp, the researchers made a contest out of it, pitting the North American and European participants against each other. Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.

This.

[tlambert]

Samsung have no control over telco update deployment. And if you bothered to read, you'd have seen many were fixed long before these "hackers" found them, which means the "hackers" merely looked at the fixes to create an exploit.

This.

The bug hunting, and the 90 day public disclosure window for the bugs ... this is "version shaming", in order to try to get the partners to update their firmware, and to get the telcos to deploy the updates.

It generally costs a partner the same to do a new version of Android as it did to do the original version of Android. This is because most of the code changes needed to port the software to a device in the first place, and most of the partner productization changes, are not upstreamed back into the Android main line tree. They weren't put there in the first place, since Google and the partners have non-disclosure agreements in place so that Samsung doesn't get to know what another Android phone maker is about to release, and they don't know what Samsung is about to release.

This makes the process very messy, and it makes updating the version actually running on the phone very very messy, and if a kernel change is necessary because the user space uses new or altered user/kernel interfaces, it makes things even more difficult, since it means kernel changes which have to be upstreamed as well, and that usually means making them available to, but not "cleaning up to the point of acceptability to upstream Linux" for those.

The telco business model has been to get you locked into a 2 year contract at initial signup, and then cause you to re-up the contract every 18 months by offering a new phone with the new OS to get the new features, and to be compatible with the new "store" offerings in apps, in order to *keep* you perpetually locked into the two year window.

The partner model has been to create low margin OEM phones, with the understanding that they will make up for the low margin on volume, by having a rolling inventory of the new model going into those 18 month renewal window pipeline themselves.

In both cases, these are not "buy once, use forever" devices. Neither are iPhones (try to find a 2G service area on either coast for AT&T to use the first generation iPhone; AT&T is actively ripping out 2G capacity, since that's the only way to force someone off a grandfathered unlimited data contract).

Practically speaking, it's in no one's interest, but Google, since they've been eating the bad press on the update situation whenever there's a bug found, and a security flaw is generally the most convenient can opener. Effectively they are using this as judo, to try and version shame both the partners and the telcos: the partners into the development effort for an update, and the telco for the deployment of those updates.

In other words, they are trying to mimic the Apple model, without the hardware or iOS source base homogeneity that allows it to work.

It will be quite interesting to see how long this goes on before something cracks. My personal prediction on what will crack is that the telcos will start offering updated phones earlier, with a prorated valuation on the old phones, and roll the costs into the hardware costs in the first place, and thus into the monthly billing cost.