Well this is quite the unsettling story. Two “security experts” (I prefer to call them hackers) have drafted up a tool that would allow the user of it to probe an Android device to intercept emails and SMS messages. The program is a “root” utility that disguises itself as a program to help easily root your phone, but will do some other extracurricular activity before it’s done (that’s if it even goes through the process of rooting at all). Know that the hackers aren’t doing this with any malintent: they want Google to get off their butts and fix the security holes before a serious incident goes down.
The tool was released to thousands of hackers at the DefCon 18 security and hacking conference going on this weekend. At first, you may not think releasing the scary tool is in yours or anyone’s best interests, but it forces Google’s hand in making sure things are set straight before too long.
This isn’t unlike the story we heard about exactly one year ago where a known SMS flaw plagued millions of handsets (housing many types of operating systems) and would allow the sender of an SMS to send something similar to a denial-of-service attack which would keep you from being able to make and receive calls, send and receive text messages, and use your phone’s data. Following the revelation of that bug at a similar conference, Google, Apple, and other software vendors found themselves pushing out updates within days to fix it. If this is anything like that, then I’m sure Google’s already hard at work to take care of that.
Shit, I gotta stay away from downloading root applications for a while.
Not that I download much to begin with.
Say it ain’t so! Rooted phones are insecure? What a shocking development! Google should get right onto fixing it so phones can’t be rooted anymore.
Well the good news is that it isn’t an open vulnerability to Android users in general. You have to be wanting an “easy” way to root you phone (something that voids the warranty anyway)and then download/execute the malicious file deliberately. Sounds like the user would have to be a fair bit negligent to become a victim here, but I agree that Google should fix it and I glad their are security experts/hackers that have good intentions to bring this to light, rather than using it for evil themselves.
@Monty the problem with the story is that it’s not clear on what the application actually does. They didn’t say if it actually had code to root a particular phone or not, just that it posed itself as a root utility. One-click root applications (and custom ROMs should you care to install them) are risky in nature as you are not dishing out the commands yourself. By rooting through the “hands in dirt” methodologies of a particular phone, everything is transparent and you can be sure nothing is being done to your device that you didn’t tell it to. “Just be careful” is the only thing I can suggest to anyone.
I am gettin sick of folk tryin to jump in the security spotlight by doing the obvious. Ok…if you root your phone you are obviously opening yourself up whether there are vulnerabilities or not. I mean seriously I could just make an app called “root your phone” and cause it to send me your emails and SMS.
This is Bullshit, You download 3rd party Apps of the market at your own risk! There is even a disclaimer proclaiming that before you download them. Dont Bullshit yourself! These hackers were in it to win it. But the reality if you are a real hacker is that your personal info is way easier to get then to develop an App to steal your emails. Freedom is often given up in the name of security and that has always been the case throughout history. This is why reason why AT&T and Apple block these things and look how bad we talk about them!!!!! LIBERATE AMERICA – LIBERATE MARIJUANA AND OPEN SOURCE TECHNOLOGY!
@Quentyn, If the possibility exists for a phone to be rooted, an application can attempt to gain root access and consequently full access without you even being aware that it’s attempting it. That’s the risk, and the ability to root is the hole. If you leave the front door open, you can’t complain that someone walked in and took your stuff. This is why most sane people don’t want that ability to exist, as much as it pisses off the rooters/ROMers. It’s not worth the vast majority of users being at risk so a small number of people can have their jollies.
So, what flaw are the forcing to get fixed? Has it been disclosed? An app that may or may not do what is says it will do, and does something nefarious in the process, sounds like malware (and potentially just a con-job). However, if the app exploits a vulnerability and the vulnerability has been disclosed to Google–then there is something to it.
How can you blame google for someone rooting their phone? If you want to root your phone, you need to accept the responisibilty and risk of doing so.
@cwrig – and if you don’t want to root your phone, but a malicious app does it for you?
@Rudy not quite. When an application requests root access. A message to allow or deny pops up. Of course, selecting always allow on an unsure application is just foolhardy.
The gremlins did it.
Some of you really need to reread the article. This isn’t about rooted phones. It’s about all phones rooted or not. And a big thank you to the hackers. If it weren’t for you guys, open source would be an insecure nightmare.
You would only get the root request on well behaved root access apps. A nefarious app would hardly ask your permission. ;-)
@fahad: that’s assuming your phone has been rooted by the standard means and has had the root-privileges-protecting Superuser.apk (and the custom su binary) installed. Otherwise if your phone isn’t rooted this app presumably does it for you and then happily abuses the privileges. So having a rooted phone probably serves to *protect* you against this more than anything.
Let’s look at what the article said, “but will do some other extracurricular activity before it’s done (that’s if it even goes through the process of rooting at all).” Now let us examine this quote… You don’t have to be rooted, the program itself is DISGUISED as a rooting program so people would use it.
@Rudy While you can develop an app to secretly root your phone and claim it is doing something else, the idea of root being the problem is silly. First off, when you root your phone all you are really doing is opening up aspects of your phone that the manufacturer closed for various reasons. Most of which are development tools and in some cases locked features (EVO 4G tethering for instance). They are saying that this team made an app that would help you root your phone, that in reality did other things that requires no root access. As in forwarding every email you send to another address, or monitoring what words you type most often and filtering them into a database picking out what it wants from you. The reason they used root access as the dummy app is because most people looking for an easy way to root their device are fresh to the modding scene and would more than likely agree to anything the app asks (they figure the app knows best since they are looking for an easy one touch step). Much like virus companies target people with the fake virus screen that alerts you of 1000 threats and you need to act now! The educated person restores their computer in safe mode and kills the threat. Average joe would buy in to the program (which is the one causing the mayhem) it quickly dispatches the program it created and then they see their computer is back to normal and think nothing of it.
I guess what I’d want to know is if the security experts took this to Google first, and then released it into the wild as is common courtesy. First you warn the corporation by submitting the tool or process, and then you force their hand to fix it by releasing it into the wild some time later. IF they didn’t do this,I’d be surprised.
I was at the defcon presentation and live demo for this. The exploit was pushed to the phone using ADB and uses a kernel exploit to run. At this moment i do not know of a way to infect a phone with this without pushing via ADB. In all honesty, i would use this exploit on my personal phone as a security feature if my phone ever got lost or stolen. I could call my phone and find out its location and all my personal data without the thief ever knowing i was on. :)
This presentation came in two parts though, the rootkit being the second half. The first half was about apps that ask to use your data on the phone ie: contacts, network, etc. THis is much more of a concern to me than the rootkit, as developers will steal and hide data within apps we all download. One example they gave is a set of wallpapers that gathered IMEI and serial numbers off the phone and sent it back to a site in China (go figure). These wallpapers had millions of downloads. This has been sent to google and the developer is under investigation. The developer claims it uses that data to “save settings when moving to a new phone”
my 2 cents.
@UHF3, it *IS* about rooted phones.
Without the ability to get root, the subsequent security flaws don’t exist.
On the other hand, people wouldn’t be so interested in having the ability to get root if the carriers weren’t such complete d*cks about crapware, disabling features, and other highly valid reasons to break out of their mostly-inept lockdowns.
You do realize that the application that pops up to “allow” root access is installed by the user in the first place? It is not built into the OS. So if a malicious application was able to root your phone and steal your data then they would simply steal your data without installing the application that allows you to block root access.
@Mac, That’s an excuse. You blame the carriers and manufacturers for lockdowns, but some of those lockdowns are there to prevent just this kind of malware. Even so, there will always be people who want the ability to root just because they don’t like anyone telling them no, you can’t. But that’s OK. The harder users work to find the exploits that let them root, the faster those exploits can get closed.
We really need to re-architect our OSes to block root access 99.9 percent of the time. There are so many ways to add software and functionality without having core access to the operating systems most vulnerable systems. There needs to be a whitelist of trusted developers for that core root access. I frankly do not trust these developers because they code just for functionality & not for security.
If anything, Google needs to own more of the Android experience. Do not leave the new edition upgrades to the carriers anymore & better scrutiny of the apps. We don’t need to go to Apple extremes, but a better system of checks and verification are needed.
We need to have levels of permissions for developers based on upon their experience & earned trust. Frankly, the open season part of open source creates inherit security risk no different than closed source.
@UHF3 Get Digital Your mind was left in the garbage
@Jose G You want a truly locked phone go live in N.Korea and its analog too. You fail to understand what Open Source is.
>>You fail to understand what Open Source is.
However, here we have a glaring example of where it FAILED. Peoples lives could potentially be ruined by this security bug. Real impact to real people trying to live their lives, conduct business, all on a phone that they think is going to, at the very least, keep their SMS messages and Email private to themselves and their respective recipients.
Open source touts its “security” manta by claiming that since there are multitudes of sets of eyes looking at the source, potential security holes are caught and corrected by the community. It didn’t happen here. The tool was released to a bunch of people at a Conference that is stacked with Federal agents to arrest *criminals*. Sets of eyes reviewing the vulnerabilities in the system is great – except with those eyes have mal-intents.
Thats not secure. The open source model didn’t work here. While you might agree with the virtues of the ideology, when put to practice, in this case it failed.
This brings me to another point.
How quickly can we expect to have critical security patches sent to us OTA? With the development pipeline going from Google to the Hardware Manufacturers, to the Carriers… a simple fix could have multiple hands in the pot, all taking their sweet damn time to correct potential issues. We all know how horribly long it takes to get OS updates to our handsets after they are released by Google – how about a critical security patch?
(And for all you “I’m better than you” root users – you’re part of the problem here. I’m not going to void my warranty so that I can apply patches straight from google.)
@Tad: as to your first comment, couldnt it be said that Google, and not open source, was the one that failed since this vulnerability was brought to their attention, but virtually no action was taken? Google should be taking some action in managing the Marketplace, definitely not to Apple’s extent, just a bit though to keep malware, exploits, and other crap out. Also, if you took the time to read the article you would notice “the hackers aren’t doing this with any malintent…”
@Tad comment 2: security patches such as this *should* be put though pretty quickly. i mean, no carrier wants the possibility of complaining customers. OS updates and security patches are 2 completely different things. im not even a developer and i know that the code for an OS update is vastly larger than for a security patch. think of it this way, the patch is like a bandage when you get hurt, you only put it over the affected area, not your entire body. They arent completely redoing the OS, just the small portion that is affected in the security hole. As for your last comment, I will admit, ive rooted my samsung moment, but only because i didnt want all of sprint’s stupid bloatware and to improve my battery life a bit. i dont think im better than you, or anyone else for that matter, if you last a whole day on 1 charge with moderate usage, without root, all power to ya. fyi, for most phones, there are files out there to revert your phone back to complete stock and unroot your phone. unless your carrier heavily inspects your phone when you take it in, theyll never know you “voided your warranty”.
I wonder if they are referring to the Unrevoked tool?
@everyone idk why there is still discussion, Extremx (19th post) said everything.
just in case someone didn’t understand i’ll recap quickly (and noticeably so this is less likely to be skipped) what the knowledgeable have said:
THE PROGRAM DOES NOT REQUIRE ROOT AND IT MAKES USE OF A FLAW IN BOTH ROOTED _AND_ NON-ROOTED PHONES
the article even said this: “The program is a “root” utility that disguises itself as a program to help easily root your phone” . . . “that’s if it even goes through the process of rooting at all”
the example given at the conference was a fake rooting program but it could be _any_program_ because it does _NOT_ require root
i hope that was clear. please forgive the caps
@Eric :: Quite right. +1 there.
I TRIED to root my Droid X with a software program called DroidX Root. I’ve seen it published all around the internet to be a “1 click solution” to rooting. I couldn’t get it past the “turn off Bluetooth” part, and it still remains unrooted today. But I’m worried, after reading this article, that I could have let the software gain access to my phone without me knowing. Here is the link I followed to access the download.
Am I being paranoid? Or should I take steps to ensure that my phone is safe?
se alguem tiver eu gostaria de ter este programa obrigado