Slashdot Mirror
Android Phones Can Be Hacked Remotely By Viewing Malicious PNG Image (csoonline.com)
An innocent-looking image -- sent either via the internet or text -- could open your Android phone up to hacking. "While this certainly doesn't apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack a wide variety of Androids -- those running Android Nougat (7.0), Oreo (8.0), and even the latest Android OS Pie (9.0)," reports CSO Online. From the report: The latest bulletin lists 42 vulnerabilities in total -- 11 of which are rated as critical. The most severe critical flaw is in Framework; it "could enable a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process." Although Google had no report of the security flaws being actively exploited, it remains to be seen if and how long it will take before attackers use the flaw for real-world attacks. Android owners were urged to patch as soon as security updates becomes available. But let's get real: Even if your Android still receives security updates, there's no telling how long it will be (weeks or months) before manufacturers and carriers get it together to push out the patches.
Truly sorry that you have to be suspicious about all the anime pictures on your Android phone
Since the carriers are no longer providing updates.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I got one update to my phone, once, to 5.5.1.
let's get real: Even if your Android still receives security updates, there's no telling how long it will be before manufacturers and carriers get it together to push out the patches
...I still prefer an iPhone.
Slashdot, fix the reply notifications... You won't get away with it...
And at least you'll be able to get the bug fix with a simple security update, without having to also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones "for battery reasons" that, strangely, no phone from any other manufacturer suffers from.
The problem with modern android phones is most of them have some variant on stock android that won't get many updates. PCs are the same way, but then I haven't bought a new PC with windows on it, um, ever I think. (They come with so much crap, that an update may be challenging, to say nothing of just using them..) I've bought windows separately a half dozen or so times, but try to stick to Linux where possible. With Linux Mint lately I can image a system over what 20 minutes top?
We need that kind of thing for phones. Download a cryptographic ally signed live usb image, that uses UEFI and such then boot it on a stock PC. Once that image is up, it should allow you to simply plug a usb cable between your computer and phone and do a full wipe/reinstall to stock current android. I'm not talking any exotic process. It needs to be simple enough for best buy geek squad to do, not that I'd ever recommend them to well anyone I actually liked. Basically it should be the first thing you do when you get a phone, but right now I think its more trouble than its worth, and phones tend to be locked by default. Bonus points if you can save your preferences somewhere and get an image just with those.
You can use this bug to execute privileged code? I assume that means as root. If someone publishes example code at some point, we could get a really convenient way to root phones. Maybe I should avoid updates for a while.
This is no big deal. Since there is no hope of getting any security updates for my Android devices from the fantastic hardware vendors and network providers, I'll just browse the web on my Android devices using lynx from now on. Thanks guys! Thanks a lot! Really appreciate ya'll locking down these devices so hard to prevent malicious third-party open source developers from flashing custom boot ROMs over your fantastic OEM build.
It turns out riddles aren't the same as software engineering. Who knew?
More OS memory access bugs, yay.
According to this breakdown, 88% of Android OS is written in Java, C, and C++ -- all of which are notorious for memory access bugs (in the runtime environment, in the case of Java). Perhaps the #1 security best practice should be to use a language designed to be memory safe. Right below that would be "don't try to bolt on security to insecure software."
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
Google has been EXTREMELY self-destructive by allowing Android to be a method of abusing customers, in my opinion.
Android generally gets NO updates. That policy is intended to make more money for cell phone providers.
It's not. It's a theoretical exploit that may lead to actual exploits, but even then, they likely have to be crafted for the specific phone.
Apple's issue is already patched for all devices that it can occur on (that support Group FaceTime). Millions (hundreds of millions?) of Android devices have this exploit that will never see this patch.
And on top of that, the Apple bug affected only people who received a FaceTime call and did not answer, and the attacker knew the secret combo to activate the bug. In short it ALSO was a theoretical exploit, that was a one time deal that never impacted basic phone security.
Android people like you that defend this inexcusable flaw are the worst kind of scum.
they likely have to be crafted for the specific phone
Nope.
And at least you'll be able to get the bug fix with a simple security update
Which for millions will never come. Meantime anyone who can craft a good meme can and will own your phone. Good luck with that.
also "upgrade" the rest of the phone's OS and accept random UI changes and new software designed to throttle the speed of old phones
iOS 12 sped up phones. That speed throttling that protected phones from sudden shutdowns is now in Android as well, since it was inherently a good idea.. but on Apple if you are and idiot you can choose to disable it.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But youâ(TM)re not smug at all right?
You don't know if it 's being exploited. You don 't know if it has to be crafted for a specific phone. You don 't know how many phones will actually get that update.
The FaceTime bug was mitigated very soon after disclosure for every single device simultaneously.
Most Android users would love to have the "problem " of having to have the latest OS. Any iPhone user susceptible to the bug already had iOS 12.
All phones suffer when their batteries are old. It's harder to notice when the device runs like shit out of the box.
Reading the bulletin though it only works when the process that triggers it is privileged in the first place. So there is no privilege escalation. So there isn't a way that this exploit could root a phone.
I'm sure there are things that this could be used for. But it can't get out of the particular sandbox the application that views the PNG is sitting it.
Why can't non-x86 world ever get its shit together? One unified Windows or Linux image installs on countless hundreds of different x86 things.
Meanwhile everywhere else it's always bake a custom rom specific to each and every variant of every device. Why is it still tolerated? The old excuses of abstraction costing too much made sense 20 years ago. Today it's a joke/lame excuse for tolerating the indefensible.
Wwwwaaaaayyyy past time to fire the cooks.
Obviously we need complex multimedia formats that are decoded by C code complete with buffer overflows all running in Kernal mode.
But what would be even better is if the PNG could contain JavaScript inside it. Why limit the output to just a few algorithms? With JavaScript running actually inside the PNG much greater compression could be achieved for many applications. More importantly, a whole new plethora of animation techniques could be developed.
Indeed, if that JavaScript within the PNG was used to implement a Virtual Machine, a whole sub operating system could run inside that image. Just think of the possibilities!
We need more, Lots more. Of stuff.
Sure, if your phone is older than the iPhone 5S (from 2013).
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
The x86 - or rather, the IBM-compatible - world is vastly different to the ARM world when it comes to system design. The entire family tree of x86-derived machines have gravitated towards open, or at least easily-licensed and inter-operable, hardware standards over the decades. Manufacturers want to keep their hardware reasonably compatible with everyone else, lest they be shut out of the market for being too 'niche'.
ARM, on the other hand, is almost the exact opposite. An ARM computer is often a custom-built hodge-podge of licensed hardware modules fitted around whatever ARM core the manufacturer licensed and etched onto silicon. Sound, graphics, memory. and other functions are not plug-and-play replaceable add-ons, but a custom chipset that the system designer picked out and configured. These bespoke system configurations will also have to contend with limitations on driver support and possibly the need to hand-configure settings.
Google has tried to correct this, and pull manufacturers to a more standardized system that would let Google handle a lot of the hard work, but this was never the norm in the embedded space.
So if they email you a malicious PNG then they can read all your emails? That's not good. Plus who knows how many privilege escalation zero days may be out there?
Does this apply to all Android apps or just Google Chrome based ones?
(T>t && O(n)--) == sqrt(666)
Malicious PNG
To be fair, privilege escalation exploits are rather common on all OSes. That's not something we've figured out how to solve.
"First they came for the slanderers and i said nothing."
All of those ARM chips (in Android) use GCC, an open compiler, so it isn't the chip that's causing problems. Most of the drivers are all open-sourced (the kernels is GPL, so they more-or-less have to), so it's not the hardware that's a problem.
The main problem is locked boot-loaders. If you can't install a custom ROM on a phone, that's probably the reason.
"First they came for the slanderers and i said nothing."
How do these things keep happening? What happened to sanity checking your input? Geezus, this is inexcusable.
How: C, C++, and Java making errors easy.
It's early days & we trade for speed with grossly unsafe situations. It's like a shortcut though a warzone.
We need contacts requiring:
- provably zero: buffer overflows, use-after-free, double-free, stack overflows, memory race conditions
- Malloc failures must crash if unrecoverable.
Then we could begin to have software with greater peace of mind.
Rust does this, as does JavaScript without extensions. Go does most and can be limited to a subset that does all. Some provers exist for C subsets.
Science & open-source build trust from peer review. Learn systems you can trust.
Not sure what's up with all the FUD about Android security patch irregularity. My Sony Xperia and One Plus phones are 3 years old and they are still receiving the monthly security updates from the manufacturer, so lag time is at most 2 months. It shouldn't be much different for Samsung and the other more popular brands and models.
It's true that updates between the major versions of Android are slow or even non-existent, but security updates are different. You can remain on an older version of Android and still receive security updates.
Dude, it's Android: you can choose any one of zero security patches provided by your OEM.
I get regular patches for mine (Xioami Mix).
No sig today...
my vendor never pushed update beyond 6.0
Actually drivers are the problem. Particular drivers for radios.
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels, and I imagine that the network operators wouldn't be too happy about it either.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.
Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly, and indeed in this case the issue has been mitigated that way even if the manufacturer doesn't supply updates.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
this just sucks, as we all know a lot of phones are not going to get any fix for this and even the ones that do will have to wait for a longer then normal time. i'm used to almost always same-day fixes on my linux desktop/servers, which is nothing more then normal.
how do we fix this for devices other then pc's/servers?
in this case i see no other way but to make it a law. if, for example, the EU can dictate the standard connector to use for phone-chargers, they should be able to do the same for something way more serious.
make it a law that all devices must get a lot of years of security updates (i don't even care about OS upgrades at this point), make it a long enough time, something like 6 to 8 years.
what will happen is that companies MUST design the software part better otherwise it will be too expensive to maintain all these security fixes for all these different devices with different implementations. to keep their costs down, they will have to have one build that can be installed and used on their whole range.
again, don't tell me it is impossible, we've been doing it with linux distro's for more than 20 years.
On a long enough timeline, the survival rate for everyone drops to zero.
Because custom ROMs serve the interests of the people selling the phones, allowing them to issue the phone with undeletable adware or bloatware that they're paid to ensure is on every phone (and which is also undeletable). The fact that they do not serve the interests of the people using the phones is of no concern to them.
So my Galaxy S5 is still safe? ...
Android is so shit. With all this spying. Touch interface (on the whole surface too) and with the lack of updates.
Where's the PC equivalent?
20 years of support rule yourself.
Lesbian porn is gay.
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I am sure you read that somewhere, but wherever you read that, I would not trust them as a source anymore. What phone can get past the bootloader, have a custom ROM installed, and then can't use the radio?
"First they came for the slanderers and i said nothing."
The custom ROMs use the binary blob radio drivers from the official ROMs.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Android people like you that defend this inexcusable flaw are the worst kind of scum.
Laying it on a bit thick don't you think? Being a platform apologist is bad, but I wouldn't rank it as "worst kind of scum", even if just limiting to the tech industry or even more so to just mobile OS platforms. Save some room for the real criminals who are making money off your data.
Hm. My iPhone 3GS didn't get the update to ios12. As a matter of fact, I think I had to stop updating it around IOS 5 or so. The newer versions of IOS slowed it down to unusability.
Yeah, yeah. I know. I didn't buy hardware, I bought access to ios and the hardware that came along with that purchase was not fit for duty 3 years after purchasing said access to ios. I was supposed to know even if it wasn't printed on the side of the box: This hardware will become unusable after 3 years and there is NOTHING (other than block further software upgrades) you can do about it. Have a nice day.
But yeah, feel smug about your IOS always being up to date.... completely ignoring the fact that you have to keep paying for hardware every couple years in order to keep your ios up to date.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
One of the Firefox for Android developers confirmed that they're using their own built-in libpng (with a link to its place in the source), so Firefox is likely unaffected. I didn't check separately on Firefox Focus, but I suspect it shares much of the code base.
I saw a reference to Chrome also having its own built-in PNG code (how could it not given its 51+MB download size?) but don't have the same details on it.
This mostly leaves email, messaging and social media as likely vectors for a malicious PNG.
fencepost
just a little off
That can still get you far, though.
iOS 12 runs on 5 year old hardware. Being smug is not necessary to understand the benefits of that.
Your 3GS is not susceptible to this bug.
In order to pass certification for things like FCC the drivers need to be certified too. If they were open source then the user could just crank up the transmit power on their cellular modem or wifi to illegal levels
This is what RIL is for. Cell phones communicate with baseband processor using a standardized interface so the argument makes no sense on its face as the OS does not have the capability to command baseband to do something it isn't willing to.
The argument is further frustrated by the fact anyone can buy a USB stick with a GSM radio in it or a laptop with similar hardware to communicate over cellular networks. Yet the presence of such hardware does not preclude the successful installation of generic Linux distros nor detract from the ability to communicate with said radio.
This affects the x86 world too. Some laptops have a list of acceptable wifi cards baked into the BIOS. If you try to fit a non-certified one it won't work. Reason being that when you have 3 antennas they could potentially all be used to exceed acceptable transmission power limits if the user fits any random card, so the manufacturer has to limit to ones tested by the FCC etc. to never do that.
The FCC explicitly rejected this assertion. Systems need to be designed such that the radio interface cannot be commanded to exceed limits / bypass TDR detection..etc. They never said the entire operating system has to be locked down to achieve this.
Having said that, Google has largely fixed this now. Modern versions of Android can be patched by the Play Store services directly
No, Google play cannot update the operating system. They can only update shit that used to be part of Android but got moved into proprietary Google play malware stack as part of Google's never ending bid to own everything.
Dude, your comment is 4 years too late. Google released its Hardware abstraction layer with Android version 8, it's now on Version 9, and yes, current phones get security updates very quickly from reputable vendors.
This month, my non-google phone got the February patch update a few hours before the Pixel release was available.
In what year I will be able to install a generic Linux or Android distro on my cell phone?
No I don't think so. My reading is that it ONLY works if the process that triggers it is already privileged. It won't work on an unprivileged process at all.
Android also requires device maps to give you state-of-the-1980s base memory addresses for device MMIO.
There's no PCI(e) interface on your phone, or any other "safe" means of software discovering what hardware is in the device. Just like any 8-bit microcomputer you grew up with, hardware control is done by writing memory values to various hardcoded memory addresses. If the sound driver, for example, doesn't know the exact base address of the sound controller, it won't init the sound at all and may even accidentally crash the system if it ends up feeding the wrong commands into the wrong hardware subsystem.
Remember when Windows 95 and 98 would do auto-detect for non-PnP hardware and the ever-present warning that the process could hang the machine was present? Yep, exact same story here.