Heartbleed-Level Vulnerability Found In 950 Million Android Devices, Thanks To DRM

[Guest]

Zimperium researchers found a security vulnerability in all versions of Android (starting with 2.2) that would allow attackers to infect their targets without any user action by simply sending them an MMS message.

Heartbleed-Level Vulnerability Found In 950 Million Android Devices, Thanks To DRM : Read more

 

[dstarr3]

Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

 

[InvalidError]

Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

What motivation would they have to go through the extra hassle and expense?

You are afraid to get hacked on your no longer supported phone? The carrier offers you to upgrade to a new phone for a fee. You do not upgrade your phone, get hacked and get screwed by bandwidth, LD and other charges? The carrier most likely won't let you get away from it without spending some cash either way.

The carrier patches their servers to intercept malicious SMS? They have to eat the cost of those server tweaks, they lose one reason to nudge customers to upgrade their phones regularly and they may expose themselves to additional privacy inquiries about their SMS interception. Lose-lose-lose for them.

 

[JOSHSKORN]

Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

Privacy concerns? Would you want your carrier intercepting your texts at any given time? Just a thought.

 

[targetdrone]

I think the Note II will be my last android device. This is getting ridiculous. Not that there are security flaws in Android, every computer system has them. It's the fact it's impossible to fix them without buying a new device because an affect device is no longer supported for OS updates. Oh yeah maybe I could install a a custom rom(assuming the boot loader isn't locked) but if something goes wrong I'll end up with a $500 brick. No thank you. I think I'll go super retro and get a car phone once my Note II dies.

 

[Paul NZ]

Good thing I'm not using one atm. I'm using a windows phone

 

[razor512]

Another reason to avoid android devices which go out of their way to make it difficult to root and install custom ROMs. With the major companies dropping support for older devices after about 18 months, there are millions of devices that will simply never receive an official update to fix this security issue.

Those with easy access to 3rd party ROMs (easy is the key, larger user base = more attention from devs and faster updates), will get the security fix sooner. I bet within a few hours to a few days, you will see 3rd party ROMs with the DRM disabled until updated code for those libraries are released.

 

[kenjitamura]

Another reason to avoid android devices which go out of their way to make it difficult to root and install custom ROMs. With the major companies dropping support for older devices after about 18 months, there are millions of devices that will simply never receive an official update to fix this security issue.

Those with easy access to 3rd party ROMs (easy is the key, larger user base = more attention from devs and faster updates), will get the security fix sooner. I bet within a few hours to a few days, you will see 3rd party ROMs with the DRM disabled until updated code for those libraries are released.

The only android devices that are difficult to install a custom ROM on are the ones manufactured in China because they don't make the source available to developers. Just don't buy Android devices with Rockchip, Allwinner, Mediatek, or Amlogic hardware and you'll be good.

 

[alextheblue]

Privacy concerns? Would you want your carrier intercepting your texts at any given time? Just a thought.

They already do that and store them for the NSA to peruse later - and that's not even a tinfoil hat statement. They're compelled by law to store and share with the NSA and likely other agencies.

 

[dstarr3]

Privacy concerns? Would you want your carrier intercepting your texts at any given time? Just a thought.

They already do that and store them for the NSA to peruse later - and that's not even a tinfoil hat statement. They're compelled by law to store and share with the NSA and likely other agencies.

Indeed. There is no privacy with SMS in the first place. So, them intercepting malicious code would just be a good use of systems already in place. But yeah, I understand why it'll never happen.

Though, secondarily, I wonder how effective these attacks are for people that use encrypting messaging apps.

 

[mrmez]

Hardly surprising. The result of highly fragmented hardware and software.
Much easier to conquer an already divided platform.

A massive advantage for IOS/OSX.
88% of apple users are running iOS 8.x
Meanwhile 50% of android users are running Jellybean or older.

 

[Alec Mowat]

Wow. That's kinda a big deal.

 

[chicofehr]

My 2 year old blackberry still gets OS updates and should for another few years apparently.

 

[bikerepairman1]

read it a few days ago. Hope samsung and t-mobile update very soon.on my tablets (2x) and smartphones (3x). I use one tablet+1 phone for chat and mail, the other tablet and smartphones I use for work.

 

[Bricktop]

What a compelling reason to only use Nexus or Apple devices.

What really concerns me is how long did these researchers give Google to fix this issue? It's an ethics question. Should the researchers provide all the details of a vulnerability that potentially puts nearly a billion user's personal data at risk? My opinion on the matter is no, they should wait until at the very least a patch is delivered to the nexus devices (which I don't own). Then Google should attempt to force OEMs and carriers to issue security updates. Then make it a public battle after the vulnerability announcement has been made. What is their slogan again, "Don't be evil." In this case, we need to hope they won't let others be evil either.

 

[InvalidError]

Should the researchers provide all the details of a vulnerability that potentially puts nearly a billion user's personal data at risk? My opinion on the matter is no, they should wait until at the very least a patch is delivered to the nexus devices (which I don't own).

Nexus devices that have no 5.x update are out of software support from Google and may never get patched short of unlocking the device to install patched third-party firmware. Same goes for tons of other vendors' devices.

With so many device manufacturers pulling support for their devices after only two or three years, I can easily see why they chose to disclose now instead of waiting. Waiting does not make much sense when a large chunk of affected devices (likely the majority of devices running on 2.2 through 4.3) will never get patched.

 

[Neve12ende12]

Makes me feel better about Windows Phones not having to go through carriers for updates.

 

[Giroro]

My carrier is Virgin mobile, so I can't buy an android phone new/expensive enough to get software support even if I WANTED to, nor will they work with Nexus devices.
They never got the Galaxy S6 and even stopped selling the GS5

 

[somebodyspecial]

Any reason a mobile carrier couldn't just intercept text messages containing the necessary code?

What motivation would they have to go through the extra hassle and expense?

You are afraid to get hacked on your no longer supported phone? The carrier offers you to upgrade to a new phone for a fee. You do not upgrade your phone, get hacked and get screwed by bandwidth, LD and other charges? The carrier most likely won't let you get away from it without spending some cash either way.

The carrier patches their servers to intercept malicious SMS? They have to eat the cost of those server tweaks, they lose one reason to nudge customers to upgrade their phones regularly and they may expose themselves to additional privacy inquiries about their SMS interception. Lose-lose-lose for them.

They already get every msg, and the expense of doing it is probably almost nothing but a computer checking for code on the way in. It's called customer service, and advertising it (in this insecure climate), would probably win some customers. No human needs to be involved past telling software (they already have running) to look for it and delete it. I can see the ad now "As a protection to our customers, that our competitors do NOT DO for theirs, we are now deleting virus X related texts". Followed by a promotion of their new models that have it built in...Boom, easy and maybe makes FAR more money than that check initially costs. "Customers can sign up with us now and protect themselves TODAY! Unlike our competition with weak security" ROFL

Your way acts as though customers listen to "your insecure, upgrade now" messages. Ask MSFT how that went for winxp etc. Knowing this it's a dangerous way to operate that could affect multiple things including your OWN business operations at some point. What capabilities can be had from having half your users hacked?

News flash on ABC/NBC/CBS/CNBC : "10million verizon customers phones were used today in a massive attack on X (or every users info was stolen from verizon devices), we suggest users stop using verizon today and switch to company Y who already announced they delete these txt messages before you get nailed"...LOL. Something like that, but you get the point and it would be damaging to your company's rep. It is wiser to protect and advertise IMHO, gaining customers in the long run as a company looking out for US. It would be on my company website, I'd go on CNBC etc and discuss how "important it was for us to do this for our customers in light of recent massive hack attacks" etc etc...blah...A marketing campaign that pays for itself is always genius. Witness Donald Trump's presidential campaign (like him or not). He pays nothing, everyone talks about what he says (in just a few speeches or interviews), and goes on tv constantly which basically says what any candidate would say in a state to state advertising campaign, and then they all run the story repeatedly drowning out everyone else (including Clinton's scandals etc...ROFL). It costs him nothing, while news does his campaigning for him by accident to get ratings (even though most of them try to trash him...LOL). Pure marketing genius. Any company with these devices should wise up and USE this for an easy marketing message.

Clearly the rest would probably follow then you just alter the msg a bit "Note how we took the lead for our customers, as we always will" blah blah...

 

[somebodyspecial]

oops..."you're"...For some grammar nazi...

 

[Giroro]

What if this vulnerability was created by spies, In order to make customers WANT to have 100% of their messages monitored and filtered (and of course discreetly, indefinitely, and illegally saved to some government server somewhere). We will never get end-to-end encryption of private messages (of our privates), when instead the public is demanding implementation of an easily abused censorship and monitoring system baked into every device.

The idea that some greasy creeper somewhere has the capability to keep a copy of every single sexy message anyone has ever sent is bad. The idea that they could keep a copy and then prevent it from being received by the person it was intended for is even worse. It's more likely than you think, the UK has implemented a rapidly increasing number of bans on pornography in the past few years - including a blundered ISP-level blanket ban on all internet pornography to people whom don't explicitly go on record asking for it. To me, the kind of person whom wants to ban all internet porn might also want to ban (or even tax) sexting. Also, I am unsure if the UK government as a giant list of every citizen that they arbitrarily consider to be sinners/perverts, but they do have systems in place to gather such data. That is something that should scare people.
We should not implement a system that allows for such an abuse to ever be possible. Even if you trust your government, do you trust every single person who could ever conceivably get a job there?

 

[somebodyspecial]

What if this vulnerability was created by spies, In order to make customers WANT to have 100% of their messages monitored and filtered (and of course discreetly, indefinitely, and illegally saved to some government server somewhere). We will never get end-to-end encryption of private messages (of our privates), when instead the public is demanding implementation of an easily abused censorship and monitoring system baked into every device.

The idea that some greasy creeper somewhere has the capability to keep a copy of every single sexy message anyone has ever sent is bad. The idea that they could keep a copy and then prevent it from being received by the person it was intended for is even worse. It's more likely than you think, the UK has implemented a rapidly increasing number of bans on pornography in the past few years - including a blundered ISP-level blanket ban on all internet pornography to people whom don't explicitly go on record asking for it. To me, the kind of person whom wants to ban all internet porn might also want to ban (or even tax) sexting. Also, I am unsure if the UK government as a giant list of every citizen that they arbitrarily consider to be sinners/perverts, but they do have systems in place to gather such data. That is something that should scare people.
We should not implement a system that allows for such an abuse to ever be possible. Even if you trust your government, do you trust every single person who could ever conceivably get a job there?

As I said before they already get every msg. They are forced, so govt can ask later with subpoena (though they likely just get what they want without one). No comment on that, just saying, nothing changes here and a computer looks then deletes in this case, not humans.

I do not trust the govt one bit. But that wasn't my argument here, as they're not involved in this (govt I mean). A computer would check and delete BAD code, not some dude reading them (or keeping them, which is already done), or the govt. This isn't about what is kept, it's about what is deleted before it gets to you (and done by a computer). IF you and your friend use the right apps you can have encryption. It's just not built in.