Old Qualcomm Vulnerability Exposes Android User Data (securityweek.com)

← Back to Stories (view on slashdot.org)

Old Qualcomm Vulnerability Exposes Android User Data (securityweek.com)

Posted by msmash on Thursday May 5, 2016 @02:50AM from the Android-security-woes dept.

Reader wiredmikey writes: Researchers from FireEye have disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models (Editor's note: the link could have pop-up ads, here's an alternate source). The vulnerability is in the Qualcomm tethering controller (CVE-2016-2060) and could allow a malicious application to access user information. While the flaw could expose millions of Android devices, the vulnerability has limited impact on devices running Android 4.4 and later, which include significant security enhancements, and also does not affect Nexus devices. FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March and started reaching out to OEMs to let them know about the issue. Now it's up to the device manufacturers to push out the patch to customers.FireEye said: "The OEMs will now need to provide updates for their devices; however, many devices will likely never be patched."

18 comments

Min score:

Reason:

Sort:

time to re-buy the white album? by TheGratefulNet · 2016-05-05 03:01 · Score: 3, Interesting

Now it's up to the device manufacturers to push out the patch to customers.
you KNOW that, for the most part, never happens. androids are mostly abandoned after the first year of being on the market. vendors have no reason to care and they don't! they leave us all exposed to the continual android bugs and the ONLY recourse is to root and install a new os or just give in and re-re-re-buy your phone all over again, trading one bug for another.
google is 100% at fault for not seeing this and not stopping it. its a wild wild west in android land and I fucking hate how bad it is. 'just buy a nexus!'. fuck you! google abandons things too; I have a nexus one that I thought would get support but it had showstopper bugs that were there from day-1 and NEVER got fixed (screen calibration would stop every day; google never cared, etc etc).
there are so many reasons to hate google, but how they mistandled the whole android and carrier/vendor thing was one of the worst things they've ever done. and the whole architecture of android prohibits piecemeal upgrades. I can't just apt-get update and upgrade. I can't install JUST an ip stack fix or JUST a kernel fix. I have to upgrade a whole monolithic image and that's just SO STUPID its beyhond belief. linux was not that way and you had to do WORK to fuck up linux that badly. they removed the ability to do user level patching and upgrades and to make things worse, most vendors try their best to STOP users from even TRYING to upgrade their own phones.
people ask me why I don't do phone programming, since I write C code and stuff for a living. my hatred of the whole phone scene is why; its a complete disgrace and I want no part of it. let the 20 somethings mess around with this and that phone; I have no time or patience to keep up with all that crap since its such a moving target.
I really do wish 'phones' were not like they were today, but the market is ruined and I see no way around it since the carriers and vendors are so used to calling all the shots. they'll never give control back to users. it won't happen and so phones will always suck and never be YOUR computer.

--

--
"It is now safe to switch off your computer."
1. Re:time to re-buy the white album? by Anonymous Coward · 2016-05-05 03:10 · Score: 0
  
  Get off my lawn!
2. Re:time to re-buy the white album? by Anonymous Coward · 2016-05-05 03:41 · Score: 0
  
  Low end phones aren't meant to last. You pay less, you get less, and you pay again to buy a more secure phone because there's no financial incentive to update your crappy throwaway phone.
3. Re:time to re-buy the white album? by bill_mcgonigle · 2016-05-05 03:46 · Score: 1
  
  It's pretty bad, but Google is patching essential services when it updates 'Google Play Services' in a way that most carriers would have balked at just a year or two.
  The carriers suck, the forcing of signed bootloaders sucks, the update process sucks, the arrangement with MVNO's sucks, and all of it reduces overall security and functionality. Carrier profit is the primary factor that went into all of this. Yet this is exactly what is expected from such a heavily-regulated and regulatory-captured market, so let's not try to act all surprised and outraged.
  A little competition in the space would do wonders, but don't hold your breath because the manufacturers' hands are tie by the carriers, and despite their FCC-granted monopolies, they can arbitrarily refuse to allow real competitors' devices on the network. It won't be until somebody sends out a worm that bricks every device that's Stagefright-vulnerable that anything will really change. Then maybe we can get mostly IP devices with a common-carrier arrangement.
  At this point, there should be several class-action suits brewing against the carriers for locking people into insecure devices. We should want the carriers to have legitimate common-carrier protections, not cartel-enhancing protections no matter what they do.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re: time to re-buy the white album? by Anonymous Coward · 2016-05-05 04:21 · Score: 0
  
  Low end like my $800 (new price 2 years ago) that is no longer receiving carrier updates?
5. Re:time to re-buy the white album? by Karlt1 · 2016-05-05 05:50 · Score: 1
  
  Yet this is exactly what is expected from such a heavily-regulated and regulatory-captured market, so let's not try to act all surprised and outraged.
  This is completely Google's fault for setting up Android this way. Apple doesn't have to wait on carriers to update the OS.
  But if you want a better comparison, I didn't have to receive Dell's blessing (the manufacturer) or the store I bought the Dell from to update my OS and get patches from Microsoft. I was able to install Windows 7 on my Core Duo Mac Mini (that Apple abandoned years beforehand).
6. Re:time to re-buy the white album? by Rexdude · 2016-05-08 03:07 · Score: 1
  
  the whole architecture of android prohibits piecemeal upgrades. I can't just apt-get update and upgrade. I can't install JUST an ip stack fix or JUST a kernel fix. I have to upgrade a whole monolithic image and that's just SO STUPID its beyhond belief. linux was not that way and you had to do WORK to fuck up linux that badly.
  Nokia had their own full strength Linux OS for mobile - Maemo, which later was merged with Intel's similar venture and renamed Meego. It was a regular Linux distro for ARM and had Nokia not committed suicide by Elop, they could have been a powerful, independent, open source alternative to the 2 horse race that is the mobile market today.
  The first and last Meego based phone from Nokia, the N9, shows what could have been. Interestingly, there is an alternative, a phone made by the same team from Nokia under the brand Jolla, which supposedly can emulate Android for apps as well..
  
  --
  "..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
Problems with the OEM model by Anonymous Coward · 2016-05-05 03:10 · Score: 0

This outlines one of the key problems with the whole OEM model; security upgrades.
Apple, like 'em or hate 'em, did the right thing in cutting them out (at least initially) and going straight to consumer.
1. Re:Problems with the OEM model by TheGratefulNet · 2016-05-05 03:20 · Score: 1
  
  for the end user, apple was doing the right thing. but not for the right reasons, mind you.
  they are control freaks, everyone knows that. they controlled the carriers and having the shiney apple toy was all the carriers wanted; they even gave control over to apple for the pleasure of selling and including apple toys in their network.
  google could have done the same thing but they didn't think about it deeply enough and now it seems too late to change the model.
  google gets its eyeballs and deploys its apps to spy on you. they are happy. they don't WANT to change the model as it suits their whole business model.
  
  --
  
  --
  "It is now safe to switch off your computer."
2. Re:Problems with the OEM model by macs4all · 2016-05-05 03:37 · Score: 1
  
  for the end user, apple was doing the right thing. but not for the right reasons, mind you.
  That is TOTAL conjecture on your part; you have absolutely no way to determine what Apple's "motivation" was.
  
  You just ASSUME it is self-serving and evil. Do you have PROOF?
3. Re:Problems with the OEM model by Anonymous Coward · 2016-05-05 03:43 · Score: 0
  
  google could have done the same thing...
  No, they could not. Apple's power is a dedicated fan base that does not want any other kind of phone. Google's power (in this market) is a cheap phone OS with few strings attached. Google has only a tiny fraction of the brand loyalty Apple has despite having the overwhelming majority of the market running (some kind of) Android. If Google attempts to make demands of the carriers, they will be WinPhoned off to the back shelves and no customer service representative will admit their existence. We'll see the return on carrier-specific smartphones, and all that came with it.
4. Re:Problems with the OEM model by TheGratefulNet · 2016-05-05 04:47 · Score: 1
  
  search the concept of 'if it walks like a duck...'
  funny that a person with a handle 'macs4all' would AT ALL want to white knight apple. nothing strange about that at all. LOL
  
  --
  
  --
  "It is now safe to switch off your computer."
5. Re:Problems with the OEM model by macs4all · 2016-05-05 04:58 · Score: 1
  
  search the concept of 'if it walks like a duck...'
  funny that a person with a handle 'macs4all' would AT ALL want to white knight apple. nothing strange about that at all. LOL
  Ooo looky; an ad hominem attack! How terribly original...
  
  More like: The last bastion of the "factless"...
6. Re:Problems with the OEM model by Anonymous Coward · 2016-05-05 05:59 · Score: 0
  
  To be fair your nick is essentially "shill for apple". You shouldn't be surprised if people assume that anything you say is a bit biased.
7. Re:Problems with the OEM model by macs4all · 2016-05-05 08:13 · Score: 1
  
  To be fair your nick is essentially "shill for apple". You shouldn't be surprised if people assume that anything you say is a bit biased.
  So sez the ANONYMOUS COWARD. Boy, count me IMPRESSED!
  
  No, you INTERPRET my nick that way.
  
  I meant it as more of a "wish" (as in "I'd like to be able to wave a magic wand and give everyone a Mac") than a "shill" (as in "In my eyes, Apple can do no wrong, and I will defend them to the death, even if I don't believe what I am saying.")
  
  See the difference? Of course you don't; or, more correctly, won't admit it; because you will pretend that there IS no difference.
  
  Am I biased? Of course. Just like the Freetards that overrun Slashdot, and claim that F/OSS is ALWAYS the ONLY way, and that Apple's motives are ALWAYS bad.
  
  Now, isn't that where we came in? ;-)
Another Day, Another Android Vulnerability... by macs4all · 2016-05-05 03:33 · Score: 0

Is it just me, or does it seem like barely a week goes by that there isn't yet ANOTHER vulnerability affecting Android?

Seriously, why is that? What happened to the oft-touted Open Source advantage of "many eyes"?

I am honestly NOT Trolling here; but it does seem that most, if not all, of these vulnerabilities should be long-since discovered (and hopefully eradicated), rather than the steady drip, drip, drip of "another longstanding vulnerability discovered" many months or even years after the fact.
1. Re:Another Day, Another Android Vulnerability... by nevermore94 · 2016-05-05 04:30 · Score: 1
  
  It is just you. That statement is quite an exaggeration. Just as most of the "vulnerabilities" that are found are. Companies like FireEye and Zimperium exist for situations just like this. They have a team of people scouring available source code looking for any little flaw and then when they find something like this they send out press releases and hype it up as the next big doom and gloom phone destroyer so that people will buy their security app. But, when looking into the details you find that this bug only really affects phones running Android less than 4.4 and on the Qualcomm chipset. Many phones back in that era used a TI chipset instead so that limits the numbers right there. And then, when you look at what it is supposedly capable of you see that the worst it could do under ideal circumstances is to steal SMS and phone call data so it could gather who you call and text. But, just like the infamous StageFright vulnerability there still hasn't been a single documented case of it being exploited in the wild because of all of the other Android security in place to mitigate such risks.
  The fact that these old bugs are being found is because of the open source advantage that you mentioned. There is no telling how many vulnerabilities exist in iOS devices because the code is not open for review. This is, of course, good and bad, depending on who happens to stumble across the vulnerability first.
  Also, no one who cares anything about security should be using Android older than 4.4 or even 5.0. That is like using Windows XP or even Windows 95 and complaining that it has security vulnerabilities.
  
  --
  Nevermore.
Is My Device Vulnerable? by jaminJay · 2016-05-05 14:01 · Score: 1

I did not see any mention in the article (I went to the ZDnet one) for how to identify if my devices are compromised and would greatly appreciate any assistance from the lazyweb in methodology for determination.

--
Leela: "Is all the work done by children?" Alien: "No, not the whipping."