Millions of Android Devices Vulnerable To New Stagefright Exploit

← Back to Stories (view on slashdot.org)

Millions of Android Devices Vulnerable To New Stagefright Exploit

Posted by msmash on Thursday March 17, 2016 @04:25AM from the is-anyone-safe-anymore dept.

An anonymous reader writes: Security researchers have found yet another flaw in Android's Stagefright. The researchers were able to remotely hack an Android phone by exploiting the bugs. According to their estimation, the flaw exposes devices running Android software version between 5.0-5.1, or 36% of 1.4 billion, to security attacks. "I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem," Zuk Avraham, chairman of Zimperium, the firm which found the first Stagefright exploit told Wired.

10 of 48 comments (clear)

Min score:

Reason:

Sort:

Good by johanw · 2016-03-17 04:33 · Score: 4, Funny

A new nearly-universal root method is always handy.
1. Re:Good by AmiMoJo · 2016-03-17 04:57 · Score: 4, Informative
  
  That's not what this is. TFP is careful to point out that all it gets you is executing arbitrary code in the process that is affected, in this case the browser. So you would need further exploits to get anywhere from there.
  Even that is difficult as it requires knowing certain things about the target device, like the exact ROM it is running. It also looks like Google should be able to mitigate is pretty quickly by updating Chrome and various system components via Play.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:Good by GuB-42 · 2016-03-17 05:04 · Score: 3, Informative
  
  Not when there is already an "official" method that requires a physical manipulation.
  A typical Android root method that is tolerated by manufacturers requires you to reboot, press a specific button combination, connect your device to a computer via USB and run a program on the computer. This way, you can be reasonably sure that the user is the one why initiated the root procedure and not some malware. Root has serious security implications, so anything that guarantees that it really is the user's choice is a good thing.
  Android is not iOS, there is plenty of choice for devices that can be rooted without shady exploits. We shouldn't rejoice when such vulnerabilities appear.
Re:And? by GTRacer · 2016-03-17 04:55 · Score: 4, Interesting

Aside from crappy security implementations which I blame mostly on Google, I don't get this attitude of yours.

Anyone who in 2016 doesn't understand how the exchange of a "free' phone OS for personal data works needs to grab a refresher from the many excellent sources of economic theory available.

Meanwhile, I *know* I'm the product, but in exchange I get great web searches, kick-ass navigation, YouTube, handy email and calendar integration with work, and more.

--
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Missing information from summary by Aighearach · 2016-03-17 04:57 · Score: 2

You need to put some basic technical information about what is affected in the summary. If you don't give that, it is just click-baity.
Specifically, this affects Android versions "2.2, 4.0, 5.0 and 5.1. Other versions are not affected."
If you use nerds for editors, that can help make sure that you include the right information in the summary so that users can evaluate if they want to click on the link, or not. We don't just click all the links because they were posted.
1. Re:Missing information from summary by Anonymous Coward · 2016-03-17 05:09 · Score: 3, Informative
  
  Well, given that is about 1/3 of all androids in the wild, everyone should be checking.
  https://developer.android.com/...
  Also, other places say all versions of Android 2.2 & above are affected, which is ~95%
  http://www.wired.co.uk/news/ar...
Re:FBI will like this. by LichtSpektren · 2016-03-17 05:00 · Score: 3, Informative

Ever notice how the feds never go after Google or the Android phone makers to unlock things? They don't need to, they've been able to go balls-deep in Android since Day One. Too bad only Apple seems to give a poop about security.
It would take me too long to write a full rebuttal for your post, but to summarize: 1) The feds DO go after Google and OEMs to unlock phones. 2) Cheapo Android phones are insecure. But Nexus phones get prompt security updates straight from Google. Samsung is also nowadays rigorous about securing their flagship phones, since they're approved by the DoD for government employee usage (cf. "Samsung Knox").
Bad by shawn2772 · 2016-03-17 05:18 · Score: 2

A new nearly-universal root method is always handy.
To attackers wanting to steal your data, sure.
For users, this is a bad thing. If you want to root your device, buy one that is unlockable and you won't need exploits. Meanwhile, OEMs need to keep their devices patched so that problems like this don't reduce the security of hundreds of millions of devices.
That said, it's worth pointing out that Stagefright appears to have turned out to be much ado about nothing. AFAIK (and I work on the Android security team, so there's a high probability that I would know), no one, anywhere, has seen an example of Stagefright, v1 or v2, being exploited in the wild. That's not to say that these things don't need to be fixed, but the risk is often overstated in the press by reporters looking for clickbaity headlines.
Re:And? by thegarbz · 2016-03-17 07:01 · Score: 3, Insightful

Anyone who in 2016 doesn't understand how the exchange of a "free' phone OS for personal data works needs to grab a refresher from the many excellent sources of economic theory available.
There's nothing free about Android that is shipped on phones. Vendors deal with Google and in return ship *additional apps* in their OS. The customers then in turn pay very good money for the use of the phone.
All of that is not really an issue anyway since absolutely nothing in Android leaks privacy. You can run it without phoning home, without a Google account, and you can run it even when you have zero access to Google or any Google services (see the millions of Android devices in China).
Mind you I'm interested in your economic theory on open source software, which is what Android actually is.

kick-ass navigation, YouTube, handy email and calendar integration with work, and more.
None of which are part of Android and none of which have anything to do with Android's security implementation.
I'm safe by JustAnotherOldGuy · 2016-03-17 09:32 · Score: 3, Informative

From the PDF: "The victim also has to linger for a time in the attack webpage"
Since I don't use my phone for browsing*, I guess I'm safe for the moment.
-
*Yeah, I just use it to make calls and take calls, and maybe snap the occasional picture. Weird, huh?

--
Just cruising through this digital world at 33 1/3 rpm...