Of all the talk about the Stagefright exploit, its most sinister aspect is the delivery: all it takes is the phone number of the target. An MMS is sent to the victim with the payload as part of a video, and the attack takes over even if the message is not read by the user. Worse, elevated privileges mean any trace of the attack can be removed before the user is aware of the problem.
I'm currently tracking the Stagefright exploit on Android with considerable interest (and, I'll admit, a modicum of trepidation). While I think many of the fears about widespread attacks on the "billions" of Android devices are largely unfounded, I also think the exploit is simple enough and thus serious enough to warrant attention from Android users.
The exploit gives an attacker elevated privileges to mobile phones running Android OS, a popular smartphone operating system with nearly a billion users. It was discovered by a team under the name of Zimperium in preparation for a conference next week. From what I can tell as a layman, the exploit takes advantage of an unspecified weakness in the native media engine built into the core of Android OS, designed for simple video playback for things like previews in the notifications drawer. Like any modern smartphone OS, Android has safeguards like sandboxing in place, but such safeguards are apparently weaker at this level of the OS by virtue of Stagefright being a more basic android framework.
In fairness, the issue has been somewhat exaggerated by the media. The hacker involved hasn't disclosed the weakness, but only outlined the attack vector. There have been no reported instances of the exploit being used in the wild. Google has apparently released a patch for Nexus devices and seeded the fix to manufacturers. But until a patch arrives for your specific device, it doesn't seem like any of the current fixes are anything but a bandage on a bullet wound. Fixes like disabling MMS auto-fetch only thwart one potential vector. The core vulnerability remains in the OS and can be exploited in another way--through a malicious website or drive-by-download for instance.
It's a problem made worse by the very structure of how Google handles updates. No matter how critical a patch may be, Google has no actual power to force manufacturers to release the patch. OEMs must go through a long, torturous process to release a new update, which often involves back-and-forth with service providers and testing before it is implemented. For all its flaws, Apple's notoriously strict control over its devices means patches are rolled out quickly and universally. It's not perfect, but the mechanism for getting a fix in place is there.
While Google has sought to remedy this by making Android increasingly modular, patches to the core operating system are largely at the whim of the OEM. The very qualities that give Android its universal appeal are the exact qualities that create headaches for the users, who are often left stranded and confused by conflicting support from the manufacturer.
No comments:
Post a Comment