Computer Security: Android’s Armageddon

“The mobile world’s equivalent to Heartbleed” and “Mother of all Android Vulnerabilities” - just two quotes from the media about the new vulnerability (see here) affecting all Android devices. While Google has been quick to fix this vulnerability, the big problem has been getting this fix to your Android devices: mobile phone manufacturers and providers are incredibly slow at passing it along…

 

What can you do to get this fix? Basically, there's nothing to do but wait. If you run a recent Android operating system (version 2.2 or newer), you are completely exposed. This vulnerability in Android’s “Stagefright” media playback engine can be exploited by just one MMS (Multimedia Messaging Service) message and you won’t even be able to tell: the exploitation of your Android phone happens during the pre-processing of that message, i.e. in the “door-knocking”-phase. No warning. Nada. Worse, the people who found this vulnerability plan to disclose all details in the upcoming BlackHat conference in August, so we can expect the attacker community to jump on the wagon and misuse the vulnerability for their deeds. All they need is your mobile phone number…

Potential defences? Usually we recommend applying the corresponding fix made by Google. However, this requires your preferred mobile phone provider to adapt that patch to your hardware. And this, as experience has shown, can take a while or might never happen. Alternatively, you can try to re-compile your Android’s operating system yourself - but this is a feat recommended only for experts. As a stop gap measure, however, you can disable the MMS service on your phone. Some recommendations along these lines are at the end of this article.

Thus, interesting times lie ahead. Not only for Androids but also for many other devices. Vulnerability disclosure cycles are getting faster and faster, and patching, i.e. fixing those vulnerabilities, must be done more promptly. With a world full of smartphones, the Internet-of-Things, inter-connected fridges and cars (see our Bulletin article on “Our life in symbiosis”), and SmartMeters, a new patching paradigm is needed… Today, our patching methods are too slow and inflexible (see our Bulletin article on “Agility for computers”). Android’s Armageddon is just another example.


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team