Stagefright: how to protect themselves from the flaw affecting Android devices?
Earlier this week, a serious security flaw was found in the source code to AOSP, based on Android. Security researchers at the basis of the discovery back in a little
more detail on the operation of an attack and give some tips for
protecting yourself.
For
those who have not followed the activity of the beginning of the week,
Joshua Drake, a computer security expert working for the company Zimperium found in the source code to AOSP (based on Android) a security
hole extremely serious. It relates in fact to all terminals from Android 2.2 to Android 5.x (and therefore 5.1.1). The flaw was named Stagefright since it was found in the AOSP media library that name. In fact, you only receive a MMS corrupted for a hacker to have access to certain features of the phone.
50% of infected devices upon receipt of MMS
Zimperium back a little more detail on the options available to hackers. If one believes the firm, 50% of the terminal could be infected when receiving an MMS, not opening. We imagine then that the company refers to all devices using Hangouts
default email software that automatically processes the MMS before
opening, unlike the software by default in Android that handles MMS when
played by the mobile user.
Disable automatic recovery of MMS
Zimperium recommends users to disable automatic retrieval of MMS in the mailer by going for a walk in the application settings. In this way, the user will see an MMS awaits an unknown contact, but it will then retrieve it manually to start the attack. Deleting the MMS thus solve the problem. However,
the flaw will always be present, and it will then be possible for an
attacker to go through another means, for example the creation of an
Internet page containing a video pockmarked. In this case, there is no possible protection, if not the browser
update, like the version 38 of Firefox that fixes the flaw since last
May.
A different risk based terminals
The firm says a few more risks in the attack. On
some devices, the hacker will be able to run code with the privileges
and media use audio and video capabilities of the device, for example
spy on the user. On
other devices, the hacker can access the system outright privileges to
almost complete access to all features of the terminal. Even
without these privileges, a rather clever hacker could successfully
perform elevation of privilege to access personal data of the victim
such as messages, contacts, email, etc. or even cloud services. Zimperium also states that an attack completely silent (without displaying a notification on receipt of MMS) is possible.Regarding
the risk depending on the version of Android, Zimperium merely indicate
that the Android versions prior to 4.3 Jelly Bean (representing 11% of
the current fleet of terminals) are most at risk and we imagine that it
is these that allow code execution with system privileges.
Updates that are lagging
Companies
using the security solution offered by Zimperium (not available for an
individual) are already protected from the flaw, even without updating
the source code of Android. We
also know that PrivatOS Silent Circle has been updated to version 1.1.7
to fix the flaw and that Google plans to offer an update in the coming
weeks on Nexus. Cyanogen was also reactive because CM12.0 versions and CM12.1 nightlies ROM were patched there are several weeks. For
other manufacturers, we imagine that the security update will take time
to arrive, between internal validations and certifications operators. To expedite the process, Zimperium offers OEMs and mobile operators to directly send the patch. Finally, researchers will put online a video of the feat in the week. The exploit will be released on August 5 at the BlackHat conference.Of
course, we imagine that the company Zimperium - including Joshua Drake
is director of research and operations division - taking advantage of
the media coverage they attract to customers and lucrative contracts. However,
it welcomes the attitude of Joshua Drake was paid 1337 dollars by
Google to have found the flaw when he could resell hundreds of thousands
of dollars to governments or groups of hackers.
Enregistrer un commentaire