BadKernel Vulnerability Affects One In 16 Android Smartphones

An anonymous reader writes from a report via Softpedia: A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei. Despite this bug being public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed. Affected products included Google Chrome Mobile, Opera Mobile, apps that use the WebView component (Gmail, Facebook, Twitter, WeChat, etc.) and apps that deploy the Tencent X5.SDK (a bunch of Chinese apps). It is estimated that around one in 16 Android devices is vulnerable to this issue, nicknamed BadKernel. The flaw leads to a RCE on Android devices, allowing attackers to take full control over one's smartphone. Despite BadKernel being discovered in August 2016, because all research was only published in Chinese, most E.U. and U.S. users have no clue they might be affected. One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated. You can view this list via Trustlook's website to see if your device is affected. There's also a dedicated BadKernel security scanner you can download from the Play Store to check for the vulnerability.

Well

[Ol+Olsoc]

At least they have a headphone jack, so no problem.

Re:Well

[macs4all]

Hi Tim!

I think you have a more modern version of the old PEBKAC problem.

I have never had a headphone jack fail. Nor do I know anyone who has.

I gotta tell ya, obvious astroturfing shill is obvious.

And you obviously are the entire headphone-using population.

Re:Well

[Ol+Olsoc]

Hi Tim!

I think you have a more modern version of the old PEBKAC problem.

I have never had a headphone jack fail. Nor do I know anyone who has.

I gotta tell ya, obvious astroturfing shill is obvious.

And you obviously are the entire headphone-using population.

Yeah, and highly useful comments Coward makes. This is like the one person in a room who brags about how he's never had a Windows 10 update break anything - always perfect! While a hundred other people have.

In the end , it means nothing.

So we're gonna have a sitdown folks. Here's the issue. Contact points. When using a tubular jack, where connections are made along the length of the Jack and connector, the contact is made by a spring metal strip, pressing against the part of the tube that corresponds to the desired connection, and a generalized non pressure contact with the "ground" or common part of the jack at the bottom. So far, its a duh thing.

The amount of pressure that can be brought to bear on the tube is based on the mass of the contact that is used, and the pivot connection that Smaller mass and less length of pivot is always a problem. As well, the torques put on the connector and jack during normal use tend to bend things a little more than might be desired fro m time to time. Does it have to be this way?

Nope - but th alternatives are pricey and larger. Let's say that I was for some reason wanting to make a 3.5 mm plug and jack. Assuming that we want to eep the form of the present plug, the jack would have some serious alterations. Instead of a single flat metal contact point, it would have an annular multiple spring loaded spherical contacts, each grouping resembling a race of ball bearings on all contact points, including the ground or common. Then you would have a reliable connector.

Even the 1/4 inch plugs used in professionalequipment are a common failure point, it can only get worse as the size decreases. But hey, some guy who has had perfect reliability but can't be botherd to post except as a coward must know better.

Re:Well

[Ol+Olsoc]

And you obviously are the entire headphone-using population.

No, he isn't, but he certainly represents the majority. This claim that headphone jacks are terribly unreliable came straight out of the Apple Users Cult, not from your boy Phil Schiller. Those of us outside the reality distortion field know the sole reason for removing the headphone jack was to promote the use of Apple's proprietary, licensed, and costly accessories. A fact that YOU, STILL, CAN'T, ACKNOWLEDGE.

I mush have a time machine, because I knew that the 3.5 mm jacks were unreliable long before the iphone was a gleam in Steve Jobs' urinal. Professionals stay away form them when they can because of that. And quit yelling.

Re:Well

[Ol+Olsoc]

False. The headphone jack is not prone to failure.

A part that isn't prone to failure? they are all prone to it, and the 3.5 mm is worse than many. Good day sir, and thanks for the laugh.

Re:Well

[macs4all]

No, he isn't, but he certainly represents the majority. This claim that headphone jacks are terribly unreliable came straight out of the Apple Users Cult, not from your boy Phil Schiller.

Anybody who HASN'T had to do the "Spinna-Spinna, Jiggle-Jiggle, Remove-Reinsert, Remove-Wipe-Reinsert" dance with a 3.5 mm jack/plug combo in an (usually unsuccessful) attempt to cure intermittent channel-cutout, should count themselves extremely lucky. In fact, 1/4" "guitar" plugs and jacks have the same problem. It's just the nature of the beast. Has been that way for DECADES. There was just wasn't anything better. And in fact, only time will tell if the Lightning an USB-C connectors fare any better in this application. But the 95% of people who have had some sort of problem with headphone jacks already know what DOESN'T stand the test of time, reliability-wise. But, just like hitting-yourself-over-the-head classes, some people just seem to enjoy the same abuse, over and over and ...

It has NOTHING to do with fanboy-ism, Hater. It has EVERYTHING to do with the fact that 3.5 mm jacks, while unarguably being quite common, are simply NOT VERY RELIABLE over time. Period. It's an inherent design flaw, mostly on the "jack" (female) side, but I have never seen one that doesn't eventually (sometimes over a long time) fall prey to intermittent operation. We don't live in clean rooms, and have a tendency to occasionally exert lateral forces on the plug/cable, and both of those things make the life of a headphone jack a fairly hard one for such a small, cheap connector.

Re:Well

[macs4all]

Even the 1/4 inch plugs used in professionalequipment are a common failure point, it can only get worse as the size decreases.

As a former professional musician and sound engineer, how well I know!

What used to amuse me, is all the guitarists that would purchase expensive cables with "MIL-Spec" 1/4" plugs on them. Too bad those "military-grade" plugs were made of corrosion-prone BRASS, and had a "bulbous" tip-end that reamed-out the "non-MIL-Spec" Jacks even more, making the whole thing even MORE intermittent. And as a bonus, the layer of corrosion on the brass sometimes formed a kind of semiconductor junction, turning your guitar rig into a "wonderful" 100W AM crystal radio (usually right in the middle of a performance!) In fact, you can see this demonstrated in the "This is Spinal Tap" movie, when Spinal Tap plays a gig at an Air Force base, and Nigel's(?) guitar rig starts picking up some 2-way radio calls, causing him to throw down his guitar and stomp off stage (yes, I know that might also have been his VHF wireless rig; but the effect is the same!)

Re:Well

[Jesus_666]

It's not that 3.5 mm jacks are perfect and impossible to beat. They just happen to be good enough for most people, usually only becoming unreliable after the device has reached the end of its useful life. In terms of reliability I'd put them about on par with Micro-USB jacks; those can also easily experience forces they weren't designed to handle and will then become unreliable. I don't know how much force Lightning jacks can take.

The main beef many people have is that Apple removed the 3.5 mm jack without supplying an adequate alternative. All options Apple has offered are problematic in some way:

Lightning headphones: Few manufacturers offer these so availability and choice are severely limited. It might be straight-up impossible to obtain Lightning headphones that have all desired qualities (form factor, sound, price etc.). These headphone are also incompatible with any non-Apple device. I didn't bother researching prices but I also suspect that Lightning headphones are a bit more expensive as far as the low-end market is concerned. Also, the only port capable of charging the host device is occupied, which is impractical when - for instance - using the phone while working in an area where it's easy to keep plugged in. Does not allow the host device to be connected to a car stereo that only has a 3.5 mm input port and no Bluetooth support.

Bluetooth headphones: Usually markedly more expensive than similarly capable regular headphones. Choice is limited, especially with in-ear monitors. Limited battery life can cause reliability issues and requires additional maintenance. RF interference and spectrum congestion can affect performance. Pairing might not always work well or might be lost during operation. Use of Bluetooth headphones drains the host device's battery faster than use of wired headphones. Sound quality is dependent on which audio profiles the host device and the headphones support. Also does not allow the host device to be connected to a car stereo that only has a 3.5 mm input port and no Bluetooth support.

3.5mm headphone adapter: Having a dongle attached to the host device makes it less handy and takes up additional space in one's pocket. One might accidentally unplug the dongle while pulling the device out of the pocket. Less control over how exactly the cable is positioned in the pocket (since many people are not going to keep it dongle-up) makes it easier to accidentally kink the cable. Having one more thing to lug around means one more thing that can be lost. Again the Lightning port is occupied.

The downsides of regular 3.5 mm wired headphones are well-known: The jack is moderately fragile and may become unreliable over time. Depending on the precise dimensions of the plug and jack the plug might become easily dislodged from the jack.

The 3.5 mm jack's problems are mainly of a reliability nature. The other options' problems are often about convenience and the inability to do things that used to be possible. There's the main beef: Apple's alternatives are all inconvenient to acquire and/or use or require workarounds to do things that used to be easy to do (such as plugging the device into a car stereo's aux port while powering the device from the cigarette lighter port). Unlike when Apple ditched the floppy drive for USB sticks or ADB for USB HID the change comes with a noticeable reduction in capability and ease of use. That is something worth complaining about in my opinion.

Re:Well

[Ol+Olsoc]

The main beef many people have is that Apple removed the 3.5 mm jack without supplying an adequate alternative. All options Apple has offered are problematic in some way:

Which iPhone do you have?

Re:Well

[Jesus_666]

Not me but a close friend. He has a 6s, which will be replaced with another 6s if it dies because the 7 is not appealing to him. The lack of a headphone jack is one of the more important factors there.

I'm mainly interested because a) other manufacturers might decide to follow Motorola's example now that Apple did and b) I'd like my headphones to remain compatible between all of my devices, including ones too old to support Bluetooth.

Ahhh yes

[wbr1]

A slashvertisment for a 'security' app that ostensibly tests for a vulnerability, whilst simultaneously asking for every permission my phone has. No thanks. And have a mode finger while you're here.

Re:Ahhh yes

Indeed, and on their site "Trustlook" (never heard of them) claim that "AV-Test" gives them the OK.
Funny, on the "AV-test" site, they're not even in the list of (about 25) tested products...

https://www.av-test.org/en/antivirus/mobile-devices/
 

Best ways, huh?

[Bob+the+Super+Hamste]

One of the best ways to protect yourself, as noted in the report, is to keep your apps and operating system updated.

So how many of the devices listed are basically unsupported since initial sale and will never be update?.

I really wonder if things like this should be treated as manufacturing defects and since carriers and phone vendors don't seem to want to support these devices people should start bringing them back and getting them replaced for free as they are obviously defective.

I don't know warranty law but maybe someone one could chime in who has some idea as it would seem that if these issues aren't fixed then the customer is due a replacement or refund because their device does have a manufacturing or design defect.

Re:Best ways, huh?

[Aaden42]

The devices were never warrantied as being secure. They're sold as telephones. As long as they still make calls, they're not defective. There's no way you'll get phone makers or cell carriers to make good on these without a law telling them they have to. And you can rest assured they'd pass the cost of any such law directly on to consumers.

Buyers need to vote with their wallets. You're not just buying a dumb telephone. You're buying an always-on, always-connected computer that you're going to store some of the most private things about your life on. Pay attention to the hardware maker's upgrade record as well as your carrier's and choose accordingly.

For most users, that probably means either spending the extra on a Nexus device or going Apple or saving the money up front and knowing that you're buying a dead end device that will almost certainly fail to get some critical security update before its reasonable useful life has passed. At that point, your choices are live with the risks of the vulnerability or spend more money to replace the device.

Re:Best ways, huh?

[Gr8Apes]

You're not just buying a dumb telephone. You're buying an always-on, always-connected computer that you're going to store some of the most private things about your life on.

This part I disagree with with - I am just buying a dumb phone, SMS messenger and web browser. Really. That's all anyone really needs, despite the plethora of apps all about, claiming to make life easier. Now the mail app makes things easier with local storage, as does the chat app of choice. As for storing the most private things about your life, why? Why would you essentially leave the keys to your life on a very portable and easily lost or stolen device?

I agree with much of what you say otherwise.

Re:Best ways, huh?

[Aaden42]

Primarily because it's the most secured device I can buy as a consumer. It's also the one that's with me at all times. My phone is my exocortex. The part of my brain that actually works right, more often than not. If there's an arbitrary detail of modern life than has no value to me other than when engaging in certain bureaucratic ablutions, you can bet my phone remembers it better than I do.

And sure I could LIVE without the other stuff my phone does. My heart would keep beating, and I'd keep breathing. But quality of life is a thing. The myriad additional functions my phone provides enables me to do a dozen little things during the course of my day that I'd have to either not do or put off doing something else later. The time and brain workingstate savings of being able to scratch those things off immediately or perhaps a minute or two later when I have a moment rather than trying to remember to do them later (or skipping them entirely) are the little things that make life more than just hunt & gather, eat & sleep.

There are lots of modern conveniences we could live without, but you're only punishing yourself (and making lots of people regard you as some kind of odd Luddite or ascetic) if you stubbornly refuse to take advantage of them.

Re:Best ways, huh?

[macs4all]

I can't update my apps. Right now I have about 10 apps that need updating but each one of them wants a whole bunch more permissions. It is getting stupid - I don't think a weather app needs access to my identity or my contact list. Why can't we get a decent OS and proper applications for these powerful smart-phones? I would pay money for that.

Buy an iPhone, and gain control over your Apps. Seriously, that shit just doesn't happen on iOS.

Re:Best ways, huh?

[steveg]

Personally, I'm buying a portable computer that fits in my pocket. That I can use it for phone calls or SMS is mildly convenient, but not ultimately vital.

As far as "most private things" go, there is some of that (but not a ton) and that's mostly encrypted. At least as far as what *I* put on there. What the phone gathers about me is a whole other thing.

Re:Best ways, huh?

[Gr8Apes]

So if the phone part is so not vital, why not just remove the cellular portion of the phone (ie, yank the sim)? Wait, it IS important that you can effectively call/message and access the web.

Re:Best ways, huh?

[Gr8Apes]

Truth be told - a paper list is faster and generally more convenient than a phone list, unless you can type it in on a computer and send it to you phone (in which case it's a simple consuming device) I still hold that "the most private things about your life" being on your phone is truly an odd thing to say, believe, or do.

Re:Best ways, huh?

[Aaden42]

I find paper lists far more cumbersome. They get lost or left at home. They can't be edited easily. My handwriting is dreadful. Can't write while moving or doing other things, etc. Siri can take a note no matter what I'm doing. The note is available on my phone, tablet, laptop, and two desktops near enough to instantly. I can delete it when done or revise it if necessary. I can share lists with family members, and we can all check off things as we do them or add more as we think of them. None of those are features I'd die without, but they certainly make a lot of life's activities run more smooway .

Clearly we use our phones differently, but I'd describe mine as indispensable to the way I prefer to live my life. The security of the data on it is very important to me.

Re:Best ways, huh?

[Gr8Apes]

Siri can take a note no matter what I'm doing. The note is available on my phone, tablet, laptop, and two desktops near enough to instantly.

...The security of the data on it is very important to me.

You use Siri and iCloud. I'd say security is secondary to you at most, and that's being very loose with the term 'security'. You were correct to drop "privacy" from your statement entirely, because you've given that up entirely.

Re:Best ways, huh?

[steveg]

Access the *Internet*. That's part of what being a computer is. I didn't say being connected wasn't vital, I said being a phone wasn't vital.

I added the "is connected" criterion to my definition of "useful computer" somewhere around 1989. Even though "uses telephone technology" is part of what makes that work, the "is a phone" part isn't all that important.

I'm not saying that I don't use the phone as a phone. But it's not why I have it. If I had to choose between a portable phone without computer functions or a portable computer without phone functions (and could only have one) I'd probably make do with email.

There are folks on Slashdot that, after asking me to get off their lawn, seem very proud of their dumb phones. "It's a phone, dammit, that's what's important." And that's fine. Just not for me.

My Nextbit Robin isn't on the list

[the_humeister]

I guess my phone is safe.

Re:My Nextbit Robin isn't on the list

[mlw4428]

Yes, nothing says security like sending your data up to a third party's cloud.

Sigh.

[ledow]

"Install this piece of random software to see if you're safe from this vulnerability that affects a ton of devices."

Yeah, right. It's precisely that mentality that causes more problems in the first place.

The list is just about worthless

[coolmoe2]

My phone and tablet were both listed so I installed the app and ran the check and neither one was vulnerable to this bug. I don't think the list they have includes vendor OTA updates so its more less based on the software the devices had when they were stock. So my take away is don't put too much faith in that list by itself. You are better to do the check and then remove the app.

Re:The list is just about worthless

[Nemyst]

I don't know about you, but I don't think I'd trust the results of a security app made by a company I've never heard of before.

Re:What is BadKernel?

https://bugs.chromium.org/p/chromium/issues/detail?id=604033

useable to root myself?

[Herve5]

Could this bug be used, not to do devilish things, but to help me rooting my devices in a simple way, so that afterwards I could at least install the firewalls I already have on my old Fairphone*?
(*) that came pre-rooted by default, contrary to the new ones

New phones shipping with older versions of Android

[drnb]

If I were to purchase a Maytag dryer from Sears and know the warranty is good for one year.

New phones are shipping with older versions of Android. "New" as in unused, not as in a recent design.

I can get a new prepaid Samsung Galaxy S5 running Android 4.4 KitKat at Walmart for $150. It will not receive any updates to a newer version of Android. Some Android phones are vulnerable and have no upgrade path when they are new in the box, its not merely a problem of old used phones no longer being supported.

Re:New phones shipping with older versions of Andr

[GTRacer]

An S5? Not an ON5? I *just* went phone shopping and settled on a refurbed S5 for $120 shipped. All the Galaxy phones I saw in stores and online at that price were ON5s. I'd have gladly bought from WalMart at $150!

Re:Updates, on Android? Good luck with that.

[GTRacer]

I have a Note 3 running CM11 because reasons. But the newest I can get is 12 and I can't be arsed to go through the hours of reinstalling my apps (even with Titanium it takes a while because...). I use XPrivacy to control permissions so hopefully anything that tries to own me through an app-based vector alerts me. If it's Chrome into the OS itself, well, I guess I'm buggered.

Sorry, S4 was $150, S5 was $300

[drnb]

My bad, that was a Galaxy S4 at $150, 4.2 Jellybean and not upgradable. Their S5 was $300, 4.4 KitKat and not upgradable.

I apologize for the confusion.

Re:Sorry, S4 was $150, S5 was $300

[GTRacer]

Thanks for the clarification! So far, our refurbed S5s are working OK... *knocks on wood*

Re:Headphone jack only failure in seven years

[Ol+Olsoc]

I'm merely debunking the notion that the headphone jack is immune from problems.

No one was making that claim. He simply said he hasn't had a problem with a headphone jack or know anyone who has, implying that the problem is quite rare, which it is.

Yeah, rare as Windows 10 updates breaking things. I can't produce the proof of all of those I've replaced over the years because I never knew I'd have to justify it to cowards, but the 3.5 mm adapter is a cheap little thing, and prone to failure. Just because you haven't had one, or that all the guys in your DnD club haven't does not mean a thing. Its like a 1/4 inch plug and jack, but more prone because it is smaller, and cannot have the contacts supply enough pressure to be reliable. On my professional audio equipment, its all XLR and 1/4 inch, and there's a reason the 3.5 mm isn't there - it isn't very reliable. Jacks are a major failure mode on everything they are on, and the smaller, the worse. Don't believe me? Don't care. do your own research.

BadKernel Research Source Data

[clarkd]

I work for Trustlook, so I am somewhat familiar with the company. :^) Trustlook is a venture-funded Silicon Valley startup specializing in Android security. The company has an Android app in the Play store with over 18M users, plus a RESTful cloud SDK to enable virus scan capability in any Android app. We also have an analytic tool that allows you to peek inside any Android app (skyeye.trustlook.com). Finally, at the end of 2016, we will become the default security engine of every new phone for a top 3 phone maker, so we are not a fly-by-night company. But enough about Trustlook. We have spent about a month collecting data from our user base to perform this research. Unlike many flimsy data studies out there, this one is based on 45K responses. Since Slashdot readers are naturally skeptical and highly inquisitive, we are making the detail report available here (goo.gl/9TBD8A). Judge for yourself if the research findings are worthy of our time. Cheers, - Clark Dong