Monday, August 3, 2015

Security Firm Zimperium reveals StageFright Bug and Why Automated Video Playback in @Google @Android is Bad

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited”

Security Firm Zimperium zLabs commenting on the seriousness of the StageFright hack via text message that affects Google Android smartphones

It's already bad enough Hackers or the NSA (National Security Agency) have the power to remotely turn off your smartphone as explained in my blog article entitled  “NSA smartphone hack via the Baseband Processor - How NSA can remotely control your smartphone and Defense Against the Dark Arts”.



Hackers can now hack 95% of Google Android smartphones using a simple text message hack called StageFright. So says Security Firm Zimperium zLabs in the article “Most Android phones at risk from simple text hack, researcher says”, published July 27, 2015 by Don Reisinger, CNET News

So how was this vulnerability discovered?

Timeline for StageFright discovery – From Z for Zimperium to G for Google

The StageFright exploit gets its name from the fact that the vulnerability affects the default Video playback tool in Google Android called StageFright as explained in the article “Everything you need to know about the StageFright hack and how to defend yourself”, published July 31, 2015 By Robert Nazarian, DigitalTrends.

It was discovered in April 2015 by Joshua Drake from Zimperium zLabs, who immediately send Google some patches on Thursday April 9th 2015, which Google accepted.

By May 2015, a second set of issues were reported by Drake, bringing the total number of issues to seven (7). He also gave Google more Patches, all of which Google accepted and have scheduled for release at a time that hasn't been specified.

The vulnerability, called StageFright, involves sending a person a text message with a link to a video on a website. The victim clicks on the website, assuming it's an offer of some sort.

In so doing, the hacker can gain control over their smartphone. But even more troubling is that depending on the platform upon which one receives the text, they may have no say as it relate to being infected.

Security Firm Zimperium and StageFright – Google powerless as OEM’s control updates

Since informing Google of the security vulnerability and issuing security patch, which Google accepted, thing have gone quiet as this is the first time in July, some four (4) months later that I’m hearing about this.

However, it won't reach most of the affected 90% of smartphones, as the distribution of security patches is controlled by the OEM's (Original Equiptment Manufacturers).

OEM’s tend to be very slow to respond when it comes to issuing updates, being as it costs them money to do so.

Google's response isn't surprising and was quite non-chalant, to quote a Google Spokespersons in the article, quote: “The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device. Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device”

After all, many persons still have older versions of Google Android and very few customers are buying new devices ort upgrading to Google Android 5.0 Lollipop.

So rather than issue a patch for their fragmented Android Ecosystem, they're hoping that Natural Selection caused by malware will force device owners to upgrade as explained in my Geezam blog article entitled “Android Browser Security Unfixed as Google Wants you to Upgrade to Lollipop”.

So since it’s apparent that Google doesn’t care, it’s up to you to protect yourself by simply not using MMS, disableing Google+ Hangouts and also not opening suspicious text messages while on the Internet!

So how exactly does the text message hack called StageFright work?

Security Firm Zimperium and StageFright - Why Automated Video Playback in Android is a Hacker's Paradise

StageFright is a part of a slew of hacking revelations before DefCon Conference which runs from Saturday August 1st 2015 to Thursday August 6th 2015 and the Black Hat Security Conference which runs from  Thursday August 6th to Sunday August 9th, 2015, both occurring in Las Vegas, Nevada.


Already on Tuesday July 21st 2015, Security Researchers Charlie Miller, a Security Researcher at Twitter and Chris Valasek , Director of Vehice Security Research Firm IOActive have demonstrated that it’s possible to hack a 2014 Jeep Cherokee over the Internet as explained in my blog article entitled “Security Researcher hack a 2014 Jeep Cherokee - How to remotely hack an Internet Connected Vehicle as Remote Vehicle Homicide possible”.

A week later on Thursday July 30th 2015, Security Researcher Sammy Kamkar demonstrated that it’s possible to hack GM's OnStar System by tapping into the communications between the OnStar RemoteLink remote-access App and the vehicles OnStar IVE (In-Vehicle Entertainment) System as explained in my blog article entitled  “Security Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make your GM OnStar Vehicle Gone in 60 Seconds”.

This hack isn’t much different; it exploits a weakness in the communications between the Telecom Provider, the Messaging Server and your smartphone’s auto playback features for video ?

According to Security Firm Zimperium zLabs, the link sent to the victim’s smartphone contains a video, many of which now play in HTML5 on YouTube as since January 2015 as explained in my Geezam blog article entitled “YouTube switches to HTML5 with Adaptive Bitrate for better Streaming”. 

However, this isn’t a YouTube video but a malicious video on a cloud hosting service!

The video itself contains malicious code that is activated the minute the video is played by Google Android default Video Player, which is in all Google Android smartphones and Tablets.

Also it doesn’t need the YouTube to infect your smartphone, being as the App no longer works on any pre-2012 Smartphone as explained in my Geezam blog article entitled “YouTube App support on pre-2012 devices ending April 30 2015”.  

Surprisingly, due to the automated nature of playing videos in Google Android Messenger Application, the minute the victim merely opens the text without even watch into the video, Android already start analyzing the link.

Once it determines that the link is a video, it already starts to run and buffer the video, effectively preparing the system to play the video in anticipation of the person clicking on the link.

In so doing, StageFright is activated, giving the hackers remote access to your smartphone and all the data the have captured about you.

Google+ Hangouts and Text messages - How Hackers can declare Thermonuclear War with StageFright

It's even worse if you have Google+ Hangouts, which allows you to make free International Calls as explained in my blog article entitled “How to make free Google International Calls with Google Hangouts – Free Calling for Laptop, Google Android and iOS”. 

Google+ Hangouts automatically pre-loads all vides it receives in your account or Hangout’s App. So you don't even have to open the text message; you're already infected, thanks to Google's propensity to want Android to appear to be working faster by pre-loading and buffering Video content.

Google latest version of Android, called M, which was revealed at Google I/O earlier in June 2015, will prompt and ask your permission before automatically running videos as explained in my Geezam blog article entitled “Android M, Android Wear, Google Pay and Cardboard VR are the stars of Google I-O”.

With some 1 billion to 5 billion downloads of Google+ Hangouts App as noted in the article “Android bug: MMS threat affects 'one billion' phones”, published 28 July 2015, BBC News, that's potentially a lot of Credit Cards Numbers, names and addresses, personal data and logins and passwords that a good hacker can exploit.

Truly, the name StageFright doesn’t do this vulnerability justice; it should be more like Tsar Bomba, as this is exactly how powerful such hack would be in the hands of the wrong person.


Security Firm Zimperium zLabs will show exactly how StageFright works at the Black Hat hacker conference in Las Vegas. After that, unless Google takes action, hackers can declare Thermonuclear War on Google Android owners, whose love of Google+ Hangouts App means they're already dead even without doing anything.


No comments:

Post a Comment

Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.