“These vulnerabilities are extremely dangerous because they
do not require that the victim take any action to be exploited”
Security Firm
Zimperium zLabs commenting on the seriousness of the StageFright hack via text
message that affects Google Android smartphones
It's already bad enough Hackers or the NSA (National
Security Agency) have the power to remotely turn off your smartphone as
explained in my blog
article entitled “NSA
smartphone hack via the Baseband Processor - How NSA can remotely control your
smartphone and Defense Against the Dark Arts”.
Hackers can now hack 95% of Google Android smartphones using
a simple text message hack called StageFright. So says Security Firm Zimperium
zLabs in the article “Most
Android phones at risk from simple text hack, researcher says”, published
July 27, 2015 by Don Reisinger, CNET News.
So how was this vulnerability discovered?
Timeline for StageFright
discovery – From Z for Zimperium to G for Google
The StageFright exploit gets its name from the fact that the
vulnerability affects the default Video playback tool in Google Android called StageFright
as explained in the article “Everything
you need to know about the StageFright hack and how to defend yourself”,
published July 31, 2015 By Robert Nazarian, DigitalTrends.
It was discovered in April 2015 by Joshua Drake from
Zimperium zLabs, who immediately send Google some patches on Thursday April 9th
2015, which Google accepted.
By May 2015, a second set of issues were reported by Drake, bringing
the total number of issues to seven (7). He also gave Google more Patches, all
of which Google accepted and have scheduled for release at a time that hasn't
been specified.
The vulnerability, called StageFright, involves sending a
person a text message with a link to a video on a website. The victim clicks on
the website, assuming it's an offer of some sort.
In so doing, the hacker can gain control over their
smartphone. But even more troubling is that depending on the platform upon
which one receives the text, they may have no say as it relate to being
infected.
Security Firm
Zimperium and StageFright – Google powerless as OEM’s control updates
Since informing Google of the security vulnerability and issuing
security patch, which Google accepted, thing have gone quiet as this is the
first time in July, some four (4) months later that I’m hearing about this.
However, it won't reach most of the affected 90% of
smartphones, as the distribution of security patches is controlled by the OEM's
(Original Equiptment Manufacturers).
OEM’s tend to be very slow to respond when it comes to
issuing updates, being as it costs them money to do so.
Google's response isn't surprising and was quite
non-chalant, to quote a Google Spokespersons in the article, quote: “The
security of Android users is extremely important to us and so we responded
quickly and patches have already been provided to partners that can be applied
to any device. Most Android devices, including all newer devices, have multiple
technologies that are designed to make exploitation more difficult. Android
devices also include an application sandbox designed to protect user data and
other applications on the device”
After all, many persons still have older versions of Google
Android and very few customers are buying new devices ort upgrading to Google
Android 5.0 Lollipop.
So rather than issue a patch for their fragmented Android
Ecosystem, they're hoping that Natural Selection caused by malware will force
device owners to upgrade as explained in my Geezam
blog article entitled “Android
Browser Security Unfixed as Google Wants you to Upgrade to Lollipop”.
So since it’s apparent that Google doesn’t care, it’s up to
you to protect yourself by simply not using MMS, disableing Google+ Hangouts
and also not opening suspicious text messages while on the Internet!
So how exactly does the text message hack called StageFright
work?
Security Firm
Zimperium and StageFright - Why Automated Video Playback in Android is a
Hacker's Paradise
StageFright is a part of a slew of hacking revelations
before DefCon Conference which runs from Saturday August 1st 2015 to
Thursday August 6th 2015 and the Black Hat Security Conference which
runs from Thursday August 6th
to Sunday August 9th, 2015, both occurring in Las Vegas, Nevada.
Already on Tuesday July 21st 2015, Security
Researchers Charlie Miller, a Security Researcher at Twitter and Chris Valasek
, Director of Vehice Security Research Firm IOActive have demonstrated that
it’s possible to hack a 2014 Jeep Cherokee over the Internet as explained in my
blog article
entitled “Security
Researcher hack a 2014 Jeep Cherokee - How to remotely hack an Internet
Connected Vehicle as Remote Vehicle Homicide possible”.
A week later on Thursday July 30th 2015, Security
Researcher Sammy Kamkar demonstrated that it’s possible to hack GM's OnStar
System by tapping into the communications between the OnStar RemoteLink
remote-access App and the vehicles OnStar IVE (In-Vehicle Entertainment) System
as explained in my blog article entitled “Security
Researcher Sammy Kamkar GM OnStar Hack - How OwnStar can make your GM OnStar
Vehicle Gone in 60 Seconds”.
This hack isn’t much different; it exploits a weakness in
the communications between the Telecom Provider, the Messaging Server and your
smartphone’s auto playback features for video ?
According to Security Firm Zimperium zLabs, the link sent to
the victim’s smartphone contains a video, many of which now play in HTML5 on YouTube
as since January 2015 as explained in my Geezam
blog article entitled “YouTube
switches to HTML5 with Adaptive Bitrate for better Streaming”.
However, this isn’t a YouTube video but a malicious video on
a cloud hosting service!
The video itself contains malicious code that is activated
the minute the video is played by Google Android default Video Player, which is
in all Google Android smartphones and Tablets.
Also it doesn’t need the YouTube to infect your smartphone,
being as the App no longer works on any pre-2012 Smartphone as explained in my Geezam blog article entitled “YouTube
App support on pre-2012 devices ending April 30 2015”.
Surprisingly, due to the automated nature of playing videos
in Google Android Messenger Application, the minute the victim merely opens the
text without even watch into the video, Android already start analyzing the
link.
Once it determines that the link is a video, it already starts
to run and buffer the video, effectively preparing the system to play the video
in anticipation of the person clicking on the link.
In so doing, StageFright is activated, giving the hackers
remote access to your smartphone and all the data the have captured about you.
Google+ Hangouts
and Text messages - How Hackers can declare Thermonuclear War with StageFright
It's even worse if you have Google+ Hangouts, which allows
you to make free International Calls as explained in my blog article
entitled “How
to make free Google International Calls with Google Hangouts – Free Calling for
Laptop, Google Android and iOS”.
Google+ Hangouts automatically pre-loads all vides it
receives in your account or Hangout’s App. So you don't even have to open the
text message; you're already infected, thanks to Google's propensity to want
Android to appear to be working faster by pre-loading and buffering Video
content.
Google latest version of Android, called M, which was
revealed at Google I/O earlier in June 2015, will prompt and ask your
permission before automatically running videos as explained in my Geezam blog article entitled “Android
M, Android Wear, Google Pay and Cardboard VR are the stars of Google I-O”.
With some 1 billion to 5 billion downloads of Google+ Hangouts
App as noted in the article “Android bug: MMS threat
affects 'one billion' phones”, published 28 July 2015, BBC News, that's potentially a lot of Credit
Cards Numbers, names and addresses, personal data and logins and passwords that
a good hacker can exploit.
Truly, the name StageFright doesn’t do this vulnerability justice;
it should be more like Tsar Bomba, as this is exactly how powerful such hack
would be in the hands of the wrong person.
Security Firm Zimperium zLabs will show exactly how StageFright
works at the Black Hat hacker conference in Las Vegas. After that, unless
Google takes action, hackers can declare Thermonuclear War on Google Android
owners, whose love of Google+ Hangouts App means they're already dead even
without doing anything.
No comments:
Post a Comment
Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.