Black Hat revealed much about how our device driven society can easily meet its demise, with hackers being able to crack codes of almost anything from phones to cars to smart house appliances.
Yet, the strongest alarm signal concerns our overly connected phones, particularly those operated by world leader OS, Google’s Android. At the Black Hat conference, as before, Josh Drake, Zimperium researchers proved just how easy it is to hack into large numbers of Android smartphones and underlined the need for serious security patches if Android is to remain the top choice of users.
Particularly, Drake’s presentation revolved around the Android in-built media tool, Stagefright. A relatively small effort to tackle code leads to infecting Android smartphones even with one text.
Texting-attacks based on Stagefright work relatively easy. As the OS is downloading media from received MMSs before one even has the chance to see it in notifications, by the time the MMS appears on screen, it is already too late.
“All that horrible code is triggered before the MMS even hits your device”,
Turning off the device is not a solution to prevent the text-message attack. Wireless carriers stores MMSs until the device is ready to receive them. Perhaps one momentary solution is to turn off the “auto-retrieve” option in Google Hangouts. On the long-term, this is not feasible either.
Stagefright was already present with Android since Android 2.3 hit the market, its main purpose being to handle audio and video files at a higher speed. Not only does it enable playback options, but it is also the main tool that extracts metadata from the files it handles.
Stagefright is included in Mediaserver, which, according to Drake is a larger code group that handles everything from bluetooth to camera to media.
“Basically, what it’s doing is opening up a lot of attack surfaces. If you attack this successfully, you can stream the microphone straight to yourself”.
Working on this code and taking into consideration the a potential attack on a large number of Android smartphones, it is understandable why Stagefright – a gateway to malicious intentions – scared many.
Google’s Android is also open source, which means that every manufacturer can freely use it and add its own features. Which makes the challenge of reducing the hack threat all the more complicated.
Drake announced Google of the threatening potential Stagefright has. In response, the company announced that security patches are already on their way. Adrian Ludwig, who is the head of security for Android, stated:
“We’re in the midst of the largest software update the world has ever seen. Until next month, when we do it again”.
While Google’s effort is acknowledged, particularly with view to the rapid development of the security patches, Android devices manufacturers are still to catch up. Specifically those which offer customised versions of Android, that Ludwig called a ‘strong ecosystem’.
For now, researchers and developers have done their job. Certainly, they find security challenges every day. It is up to companies to meet the requirements for ever safer devices and codes and softwares running them.
Photo Credits: core0.staticworld.net