'Stagefright', the worst Android vulnerability in mobile OS history
- Last Updated:
- Sep 29th, 2015 1:32 pm
Tags:
- SCORE+1
- chadw01 [OP]
- Deal Fanatic
- Mar 28, 2006
- 5744 posts
- 5510 upvotes
- Toronto
39 replies
- cartfan123
- Deal Guru
- Sep 8, 2007
- 10978 posts
- 14474 upvotes
- Way Out of GTA
Yawn. Clickbait headline and claims to sell their conference.
"Zimperium did not share all the details regarding Android's Stagefright vulnerability, but the team of researchers promised to discuss the bug in detail at the Black Hat USA conference on August 5 and at DEF CON 23 on August 7."
"Zimperium did not share all the details regarding Android's Stagefright vulnerability, but the team of researchers promised to discuss the bug in detail at the Black Hat USA conference on August 5 and at DEF CON 23 on August 7."
- tebore
- Deal Guru
- Feb 9, 2006
- 13378 posts
- 8308 upvotes
- Brampton
Some are reporting stagefright, some are saying hangouts.
Meh.
Meh.
- UnCeo
- Deal Addict
- Nov 4, 2006
- 2332 posts
- 514 upvotes
- GVR
More info on Ars:
http://arstechnica.com/security/2015/07 ... -messages/
With Hangouts you don't even need to read the message to be impacted.
http://arstechnica.com/security/2015/07 ... -messages/
Hangouts is just the most (or one of the most) vulnerable app.
With Hangouts you don't even need to read the message to be impacted.
- SpectralMeat
- Deal Fanatic
- May 23, 2008
- 7286 posts
- 1329 upvotes
- Kitchener, ON
Ouch
Steam: SpectralMeat
- eeeaddict
- Temp. Banned
- Sep 18, 2012
- 1355 posts
- 239 upvotes
- ETOBICOKE
LOOOOOL Good thing wind doesn't really support MMS. Guess they can brag about that as a security feature now!
- tebore
- Deal Guru
- Feb 9, 2006
- 13378 posts
- 8308 upvotes
- Brampton
Well Looks like back to iOS for me.UnCeo wrote: ↑More info on Ars:
http://arstechnica.com/security/2015/07 ... -messages/
Hangouts is just the most (or one of the most) vulnerable app.
With Hangouts you don't even need to read the message to be impacted.
- death_hawk
- Deal Expert
- Aug 22, 2006
- 31271 posts
- 17295 upvotes
Google patched it already according to the article.
Getting the patch to the masses however is a different story.
This is why I like my Google branded devices.
Getting the patch to the masses however is a different story.
This is why I like my Google branded devices.
- LetsGoBJs
- Member
- Jun 29, 2015
- 259 posts
- 29 upvotes
- Toronto, ON
CM12 has also patched it but again, the masses are probably still exposed.
- sk2003
- Member
- Aug 15, 2012
- 357 posts
- 82 upvotes
- Mississauga
This Stagefright exploit years old, and like the article says, it began with 2.2 back in 2010. Also, it's never been executed on a massive scale, probably because it's not feasible and Google is always quick to patch it. It's about as bad as that Arabic message exploit on older versions of iOS 8. Also, Apple doesn't always have the greatest track record when it comes to security. Remember the celebrity iCloud fiasco? Apple ignored iCloud's vulnerabilities until the scandal forced them into action.
Basically, if you're on KitKat or later, it's not a big deal. Say a massive attack were to happen, I could see really old versions of Android being affected (4.0 and under), especially 2.3. But can a 2.3 device even handle Hangouts?
tl;dr I'm surprised this exploit hasn't occurred on a massive scale yet. And since it hasn't, I'm not too worried. Just don't have your MMS texts set to automatically download attachments (it's usually off by default anyway).
- tebore
- Deal Guru
- Feb 9, 2006
- 13378 posts
- 8308 upvotes
- Brampton
The fappening hasn't been proven that it was an Apple security issue so its a moot example.sk2003 wrote: ↑This Stagefright exploit years old, and like the article says, it began with 2.2 back in 2010. Also, it's never been executed on a massive scale, probably because it's not feasible and Google is always quick to patch it. It's about as bad as that Arabic message exploit on older versions of iOS 8. Also, Apple doesn't always have the greatest track record when it comes to security. Remember the celebrity iCloud fiasco? Apple ignored iCloud's vulnerabilities until the scandal forced them into action.
Basically, if you're on KitKat or later, it's not a big deal. Say a massive attack were to happen, I could see really old versions of Android being affected (4.0 and under), especially 2.3. But can a 2.3 device even handle Hangouts?
tl;dr I'm surprised this exploit hasn't occurred on a massive scale yet. And since it hasn't, I'm not too worried. Just don't have your MMS texts set to automatically download attachments (it's usually off by default anyway).
They both(Android & iOS) are really good (or bad?) At being secure but at least with Apple their OS is consistent. No weird unexpected battery drains. Google's Google play service loves to ***** the bed in this area.
- sk2003
- Member
- Aug 15, 2012
- 357 posts
- 82 upvotes
- Mississauga
I agree with you about battery life, but as an iOS user (iPhone 6 here), I can tell you that iOS 8 is far from smooth. Security wise, it's stupid that a (albeit, relatively harmless) exploit even occurred on iOS via iMessage. I hope iOS 9 is better.tebore wrote: ↑The fappening hasn't been proven that it was an Apple security issue so its a moot example.
They both(Android & iOS) are really good (or bad?) At being secure but at least with Apple their OS is consistent. No weird unexpected battery drains. Google's Google play service loves to ***** the bed in this area.
- tebore
- Deal Guru
- Feb 9, 2006
- 13378 posts
- 8308 upvotes
- Brampton
Agreed on the smoothness. Well I would say it is incredibly smooth and consistent. The problem is it's not snappy. I want to get something done quick but iOS makes you wait and watch their 'beautiful' animations. Which annoys the crap outta me.
- ceredon
- Deal Guru
- Sep 28, 2010
- 10950 posts
- 3262 upvotes
Except that the iOS bug didn't allow remote execution of code, where this does. There are also multiple attack vectors to exploit the weakness in stagefright, not just MMS. Compromised websites are another vector. The reporter mentions he will demonstrate 6 other methods. Anything that access this particular core media library is a vector. Besides MMS and browsers, I'm guessing that he will also mention email clients, other IM clients, remote file storage apps and media players/readers. It's not hyperbole to say this is a pretty big deal.sk2003 wrote: ↑This Stagefright exploit years old, and like the article says, it began with 2.2 back in 2010. Also, it's never been executed on a massive scale, probably because it's not feasible and Google is always quick to patch it. It's about as bad as that Arabic message exploit on older versions of iOS 8. Also, Apple doesn't always have the greatest track record when it comes to security. Remember the celebrity iCloud fiasco? Apple ignored iCloud's vulnerabilities until the scandal forced them into action.
Basically, if you're on KitKat or later, it's not a big deal. Say a massive attack were to happen, I could see really old versions of Android being affected (4.0 and under), especially 2.3. But can a 2.3 device even handle Hangouts?
tl;dr I'm surprised this exploit hasn't occurred on a massive scale yet. And since it hasn't, I'm not too worried. Just don't have your MMS texts set to automatically download attachments (it's usually off by default anyway).
The iOS Arabic MMS bug was nothing remotely close to this in scope or severity. And the iCloud "hack" was never shown to be a weakness in iCloud, though a potentially related weakness was discovered.
Kitkat is not immune, it just has fewer holes to exploit this. It hasn't happened on a large scale mostly because it hasn't been widely known. Now it is and hundred of millions of devices are vulnerable to one degree or another. Google just patched it recently, with code provided by the reporter of the bug, because they were only told about it recently. But almost no one has the patched code.
…
- vkizzle
- Deal Expert
- Aug 22, 2011
- 41802 posts
- 30056 upvotes
- Center of Universe
Hacking and vulnerability...is "new" news?
Everything and anything can be hacked.
If you are the intended target, nothing can be done!
Everyone can take off their tinfoil hats now.
Everything and anything can be hacked.
If you are the intended target, nothing can be done!
Everyone can take off their tinfoil hats now.
- Leop011
- Banned
- Oct 6, 2014
- 82 posts
- 38 upvotes
- Vancouver, BC
What to do?
Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
If you can't get a patch right now, find out when to expect it so that you can apply it as soon as you can.
If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
If your device supports it, consider blocking messages from unknown senders if you haven't already.
If your SMS/MMS app doesn't allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.
Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
If you can't get a patch right now, find out when to expect it so that you can apply it as soon as you can.
If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
If your device supports it, consider blocking messages from unknown senders if you haven't already.
If your SMS/MMS app doesn't allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.
- tebore
- Deal Guru
- Feb 9, 2006
- 13378 posts
- 8308 upvotes
- Brampton
That's not enough. That's what everyone is jumping on.Leop011 wrote: ↑What to do?
Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
If you can't get a patch right now, find out when to expect it so that you can apply it as soon as you can.
If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
If your device supports it, consider blocking messages from unknown senders if you haven't already.
If your SMS/MMS app doesn't allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.
The example given by the guy who discovered the vun said "someone could send you a specially crafted video via MMS and Hangouts would automatically process it thus running the code". Run it on an old system and the vun could follow up with a Root exploit and gain almost unlimited access on your phone. Something like SuperSU could potentially help if you were already rooted/
The attack vector could be anything that uses the Stagefright engine. A video or ad on a website could potentially do it. Apparently only Firefox v39 has been patched to use it's own engine instead of SF.
But that doesn't stop something like a facebook video or ad from also running it. Oh hell if you're good you could hide it in a video ad submit it to Google and hit all the phones in the world and have the help of Google's proxy servers helping you. (Extreme scenario).
It's pretty similar to the old iOS days of their PDF engine giving unlimited access to the phone.
- dealseaker101
- Deal Fanatic
- Dec 1, 2013
- 6494 posts
- 3282 upvotes
- redflagdeals.com
Cue Apple, Blackberry, and WP fanboys in 3...2....1.....
¯\_(-.-)_/¯ A wise RFD'er once said, "Buy now, think later."
༼ つ ◕_◕ ༽つ Behold!
༼ つ ◕_◕ ༽つ Behold!
- JAC
- Deal Expert
- Apr 16, 2001
- 16514 posts
- 3319 upvotes
I'm both happy and sad that nobody can be bothered to hack Windows Phone.dealseaker101 wrote: ↑Cue Apple, Blackberry, and WP fanboys in 3...2....1.....
Blacklisted companies: Roku, Lenovo, Motorola, TP-Link, D-Link, Samsung, HP, LG, Public Mobile, EVGA, Blizzard
- sqrl
- Deal Addict
- Feb 16, 2009
- 1003 posts
- 183 upvotes
Are Windows phones actually more secure or is it just more obscure so hackers don't bother with it?
Thread Information
There is currently 1 user viewing this thread. (0 members and 1 guest)