'Master key' to Android phones uncovered
Source: BBC News
4 July 2013 Last updated at 06:12 ET
A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.
The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.
The loophole has been present in every version of the Android operating system released since 2009.
Google said it currently had no comment to make on BlueBox's discovery.
Read more: http://www.bbc.co.uk/news/technology-23179522
dkf
(37,305 posts)DJ13
(23,671 posts)dkf
(37,305 posts)Funny how all the news is coming internationally nowadays. WAPO would be almost irrelevant without Snowdens leaks. Even the downing of Morales plane was almost invisible in the US press.
DJ13
(23,671 posts)Our system is corrupted by corporate interests.
Posteritatis
(18,807 posts)It's on the list of topics for one of the major computer security conferences taking place next month, which means at least some of the researchers knew for a few months prior.
Helen Borg
(3,963 posts)It would not be surprising at all, given all the latest revelations. It really changes the definition of "paranoia". How do you define "paranoia" in a world where spying is widespread and real?
dkf
(37,305 posts)It seems almost obvious that it would be a government in.
bemildred
(90,061 posts)so they can track us. Those laws, of course, will be selectively enforced against people who oppose the secret government, but us they will have plenty of time and money to track down.
williesgirl
(4,033 posts)back for full credit. Period.
dkf
(37,305 posts)Google may be worse if they deliberately engineered this.
sir pball
(4,758 posts)At best, you can expect a "We are aware of the problem and taking steps to rectify it", be it from Google, MS, Apple, IBM or any other company. It's the way the tech world turns - I suspect an "explanation" could open them to liability especially seeing as how Android (at least the Google part) is released under the Apache software license which openly states (caps original, bold added):
Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
SoapBox
(18,791 posts)I would NEVER use an Android product. Never.
They are a slime bag company, interested in getting any information (aka Facebook) about you (hell, who needs to worry about the NSA!) they can...and use Gmail? Ha! Never...the "Droid" stuff is SO subject to viruses, Trojans, intrusions, etc. that I hope millions have fun with that.
Spitfire of ATJ
(32,723 posts)I keep waiting for that headline.
Berlum
(7,044 posts)secondvariety
(1,245 posts)newest Apple app-Hack A Phone.
we can do it
(12,193 posts)i guess i'll wait before i start banking on my phone.
TM99
(8,352 posts)Right now this is a good thing. A security flaw has been discovered. Google now knows about it and will fix it.
It has nothing to do with data streaming to remote servers. It has everything to do with how apps function on the system. To exploit it, however, requires what the researcher in the last paragraph shares:
One other hurdle is that in order to catch out Android users, malicious hackers would have to get their booby-trapped version of a legitimate application on to the Google Play store, said security expert Dan Wallach in an interview with Ars Technica.
The other pertinent quote:
The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.
Security issues like this are constantly being found in ALL major software company products. Just read more about the subject here:
http://en.wikipedia.org/wiki/Pwn2Own
No system is immune. Again this is a very good thing. It will be fixed and Android will return to good security....until another exploit is found.
dickthegrouch
(3,184 posts)" It will be fixed and Android will return to good security.." Android phones are currently under scrutiny by the FTC because they are not distributing updates fast enough.
Apple at least has a program of regular all-but-mandatory updates. Android has so many different phones and licensees that updates are the sole purview of the handset maker, and they don't consider poor security a good enough reason to make any. Just about every handset is a custom version of android and the testing requirements alone would cripple any manufacturer.
TM99
(8,352 posts)This is a fundamental security flaw in the Android base code in dealing with apps and signatures. Therefore, it will be fixed in the next point release of Android which phone manufacturers can then base their own versions off of. Google will have done their job. Now it is up to HTC, Sony, Samsung, etc.
Apple is closed and locked down. Sure, you supposedly get extra security - cough ahem jailbreaking cough cough - but at the price of a locked down walled garden. Android is open and therefore there is more freedom.
I have an iPod Touch with iOS and a Zenithink Tablet with Android 4.1. Both have their strengths and their weakness. With Android, however, I could easily root the device and take over security for myself. With iOS, I could jailbreak and did so, but it is still difficult to control what is happening.
longship
(40,416 posts)Calling it a master key makes it sound intentional.
It's an operating system bug which leaves Androids open to a particular attack. They happen. Just ask Microsoft. Hell, ask Linux developers!
They happen all the time with any complex system.
ThoughtCriminal
(14,049 posts)Yes! I'm a friend of his...
Egnever
(21,506 posts)key my ass
ElboRuum
(4,717 posts)It's called a "bug".
Click traffic needed, ergo, sensationalist headline.
TheBlackAdder
(28,211 posts)Computerworld Security has a better writeup of this issue:
http://www.computerworld.com/s/article/9240556/Android_flaw_lets_attackers_modify_apps_without_breaking_signatures?taxonomyId=17
This gave Google time to try and restrict their app store before this information went public.
sir pball
(4,758 posts)From the CW article:
Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.
Android's big "security hole" (and it's the same one that Windows has always had) is the freedom to download and install apps independently of the vetted and secured Play Store by simply unchecking a box in the system settings. Any idiot can then run any malware they can be tricked into installing - just like how your computer-illiterate cousin downloads all those cute mouse pointers and funny faces for the instant chat on Windows and then wonders why their bank account is empty..
TM99
(8,352 posts)However, with freedom comes responsibility. For most simple Android users, they never even venture beyond the GooglePlay Store let alone rooting their devices. This is not dissimilar to the majority of iPhone, iPad, and iPod users who never jailbreak their devices and therefore use Cydia.
If you have done those things, and you are savvy enough to use apps from other sources than GooglePlay, then you need to be equally savvy enough to watch out for malware, trojans, and viruses. N'est pas?
sir pball
(4,758 posts)"The Play Store says we're too AWESOME, so if you want this awesome app that lets you call for free/put funny smilies in your texts/see boobies, all you need to do is go to Settings -> Security -> Allow Unknown Sources!"
I'm not necessarily arguing against allowing sideloading, just pointing out that making it overly easy is a huge ID-ten-T security risk. Google does tend to sort of look the other way when it comes to rooting, maybe they should eliminate sideloading just to make sure that people who want to do it have to meet some basic standard..
TM99
(8,352 posts)for the lowest common denominator of computer user, we are left with appliances and not tech devices.
I don't want an appliance that tells me how to use it, when to use it, where to use it, and allows me no freedom to use the computer as I would any other 'object' I own. I can mod my car. Am I knowledgeable enough to do so without hurting myself? Yes, in my case. But in others no.
Google will never eliminate side-loading. And I am grateful for that. If someone has used a computer at all in the last decade then they understand the risks of malware, trojans, and viruses. If they mess up, then they mess up and learn from the mistakes.
Now I would agree with a standard for any tech usage, however, that boat has sailed.
sir pball
(4,758 posts)When your phone has your name, address, SSN, and bank and credit card info on it - it becomes an "appliance" that IMHO does in fact need to be dumbed down and secured completely. Not that breaking the lock should be trivial - I'm thinking along the lines of kiddie locks for cabinets, those cheap plastic loops that even a developmentally-disabled adult could open...but even they would have enough sense to not drink the pretty blue water contained therein.
Sadly...a lot of people just aren't that smart when it comes to tech. "If someone has used a computer at all in the last decade then they understand the risks" - dude, srsly?
I do think that "breaking out" should be trivially easy - but it should be just hard enough to keep the "pretty mouse pointer and cute smiley faces for my IM" crowd in the safe padded room they belong in.
TM99
(8,352 posts)After all, we had addresses, SSN's, and bank and credit card information long before we had cellphones and iPads.
And yes, I am very serious. In the last ten years, the number of large-scale viruses that have impacted Windows and Mac OS X have been all over the news, cost corporations millions, and have caused a boom in anti-virus application sales. They don't need to be 'tech geniuses' but yes, people do need to learn from that past experience.
We will always disagree because I do not see computers in whichever form they take as appliances similar to a toaster or TV -- plug it in, press a button, and wait for the result. If there are risks at all involved, from privacy issues to security issues, (which covers iDevices, laptops, and desktops) then they need to be treated more like cars. We do not allow people to drive until they know how to do so. They must have this knowledge in order to successfully use the vehicle safely. Of course, many still don't and pay consequences but we do start with a baseline.
Instead of putting up a wall that users must break out of, just spend that time and money on educating users so they can use the devices. Rooting and jailbreaking are not dangerous though they do come with responsibilities - no different than using Windows 7 or Mac OS X.
I will always fall on the side of education and awareness over control and dumbing down. To do that in one area leads as we are seeing to all areas.
Sunlei
(22,651 posts)Once some clever person has their hands on a new app, it must be pretty easy to code a hook.
sir pball
(4,758 posts)This is a bug in the underlying OS that lets attackers add code to an installed apk without changing the hash - if you don't follow, it's like changing the DNA of a white blood cell to something virulent, without changing the outer membrane so your immune system doesn't see it. It's sounds like a somewhat deep-magic vulnerability based on some very low-level OS flaws, which by nature are usually highly critical and go unnoticed for years.
Sunlei
(22,651 posts)They have been doing this for a very long time. Started way back with a lot of the first online games.
Besides apps, games,I also think tracking cookies, general cookies are a huge security issue.
ileus
(15,396 posts)be included in Ios and Android...