On Wednesday (5 August 2015), the lead engineer of Android security at Google, Adrian
Ludwig, addressed the Black Hat conference in Las Vegas telling the assembled groups of
hackers, researchers and journalists that in the next few days, his employer – along with
hundreds of manufacturers and high-profile partners including Samsung, HTC, LG and
Sony – would be pushing out a security patch that Ludwig described as "the single largest
Ludwig said it was incredible that hundreds of millions of devices would be updated within a
few days. He added that the events of the last few weeks had forced Google to move
faster to fix problems. Most people present instinctively linked the announcement to the
Stagefright bug, which was revealed just last week. The bug could allow any hacker to
take remote control of an Android smartphone simply by knowing the phone number and
sending the handset in question a video multimedia message. However, it appears that
there may have been an even more pressing reason for Google to push out this security
update.
Certifi-Gate is "very-easily exploited"
Security researchers from Check Point have discovered a vulnerability, which they have
dubbed Certifi-Gate, that allows hackers to gain what they call "illegitimate privileged
access rights" and take full control of your smartphone or tablet though apps installed
on your Android devices by manufacturers and mobile phone networks.
These vulnerability affects implementations of Remote Support applications that come
pre-installed on your smartphone or tablet, and are used to offer technical help to users
by allowing support staff to remotely take over your screen to fix an issue.
"Attackers can exploit Certifi-Gate to gain unrestricted device access, allowing them to
steal personal data, track device locations, turn on microphones to record conversations
and more," a Check Point spokesperson said. Check Point told IBTimes UK ahead of its
Black Hat presentation that it is yet to see the vulnerability being exploited in the wild, but
that the bug could nonetheless be "very easily exploited", should a hacker wish to do so.
A much bigger issue is that the bug cannot be easily fixed as Android offers no way to
revoke the certificates that provide the privileged permissions. "Left unmatched, and with
no reasonable workaround, devices are exposed right out of the box. OEMs also cannot
revoke the valid signed vulnerable components, making unmatched versions valid for
installation on devices," Check Point said.
When asked about the bug, Google said the fault lay with third-party apps rather than
Android itself, adding that its own Nexus devices were therefore not susceptible:
"We want to thank the researcher for identifying the issue and flagging it for us. The issue
they've detailed pertains to customisations OEMs make to Android devices and they are
providing updates which resolve the issue. Nexus devices are not affected and we haven't
seen attempts to exploit this," a Google spokesperson said.
Google added that in order for a user to be affected, they would need to install "a potentially
harmful application" which the company says it continually monitors for with VerifyApps and
SafetyNet. "We strongly encourage users to install applications from a trusted source, such
as Google Play" the spokesperson added.
Complete control
Such vulnerabilities could allow hackers to take advantage of insecure apps that have been
certified by manufacturers such as Samsung, HTC and LG, as well as mobile phone
networks, giving them unrestricted access to devices and allowing for screen-scraping, key
logging and extraction of private data, as well as downloading and installing malware. "The
root causes of these vulnerabilities include hash collisions, IPC abuse and certificate
forging, which allow an attacker to grant their malware complete control of a victim's device,
the company said.
The security company disclosed the vulnerability to Google, app developers and
manufacturers adding that the only way to fix the Certifi-Gate vulnerability is by pushing a
new software build to the affected devices, a process it has called "notoriously slow". With
this in mind, it seems clear that Ludwig's announcement of new monthly security updates for
Android on Wednesday came about not only because of Stagefright, but also because of
Certifi-Gate issue – which is potentially a much more harmful security flaw.
Check Point says that all versions of Android 5.0 (Lollipop) and 4.4 (KitKat) are vulnerable
to Certifi-Gate. This means that, according to Google's latest figures, a minimum 57% of all
devices in use today are vulnerable. It is also likely that earlier versions of the operating
system are also susceptible to this attack.
Android, which is the world's most popular smartphone operating system with an 80%
market share, is seen as a much more insecure platform than Apple's iOS, and one of the
reasons for this is fragmentation. A study published on Thursday (6 August 2015) shows
that there are more than 24,000 different Android smartphones and tablets on the market,
making it all-but-impossible to simultaneously update and patch the software.
When you add to that the fact that 5% of all devices are still running versions of Android
that were launched five years ago or more, the problem is not one that can be solved
any time soon.
Check Point has produced an app you can download to check if your Android device is
vulnerable to Certifi-Gate.
No comments:
Post a Comment