Latest Android phones hijacked with one-shot Chrome exploit
theregister.co.ukAm I alone being amazed that we still have not experienced an Android worm or virus shutting down all mobile networks globally for a few days? I remember Slammer, which brought down many corporate networks and severely impacted all internet traffic. With all these unpatched phones and so many vulnerabilities it seems a matter of time before something like this happens on a grander scale in mobile networks.
Would it be that the bad guys have become smarter and there is more money in silently p0wning devices? Or is network management able to stop such events from happening nowadays?
Corporate Networks 10-15 years ago are like the Canadian US border, where as today they're more akin to the North Korean South Korean border.
10-15 years ago everything was on the same LAN except for the handful of web servers you might have plugged into the DMZ port of your firewall and every client was implicitly trusted. Today we have VLANs for everything and segmentation is done purely for organization aesthetics. Switches can dynamically provision ports based on the client connected. Wired clients and wireless clients reside in different segments with different restrictions. Open network ports in unsecured areas, like conference rooms, are on highly restricted VLANs. I've even seen segmentation based on client MAC addresses where unknown devices were just routed back to themselves for everything.
Back then Email servers accepted connections from anyone and would relay just about anything no questions asked, today email servers are locked down and very suspicious of one another with DNS records (SPF, PTR) for verification.
There are security appliances sitting on the edges of network monitoring all inbound and outbound traffic as well as appliances in the network watching the too and fro. We have software clients sitting on desktops monitoring traffic and blocking malicious or harmful requests as well. Software firewalls are now standard and turned on by default.
On top of all that, Mobile Networks are distributed with each cell tower being it's own insular network with a secure WAN connection over an ISP back into the central network with all manner of port filtering in place.
I think it makes sense. Let's pretend that I find an iOS exploit. I can brick 50% of Apple devices or I can sell it for a million dollars. I'd rather be a millionaire than risk prison.
Blackhats are no longer in it for the mischiefs but more for the profit.
This is why you should use Firefox for Android: it's a great browser (even offering extensions such as uBlock Origin), but it has very little marketshare and is thus unlikely to be attacked.
This is also part of the reason a frequently updated Android distribution (Nexus or CyanogenMod) might in fact be more secure than iOS, where you are forced to be vulnerable to Apple's Webkit engine.
The same reasoning also applies to such updated versions of Android: the vast majority of people use outdated Android versions, so it's less likely that people would bother developing exploits for the latest Android version, as opposed to the latest version of iOS.
Obviously this is a self-defeating prophecy, but hopefully a proper securely isolated mobile OS will become available before things change.
I tried it on my Android phone a while ago, and my (unscientific) conclusions are that it's slower, more resource intensive, and drains the battery faster than using the default Chrome browser.
The article made it sound as though the vulnerability was in Javascript V8 itself. In which case, if Firefox supports it, wouldn't it be just as vulnerable?
AFAIK Firefox on Android doesn't run on V8, it uses the usual Firefox JS engine
I use Firefox for Reddit.com (Chrome keeps freezing when I hit the [-] buttons on long comment threads); but holy heck does it drain battery like crazy.
I could use Chrome or Chrome Beta all day long and my phone doesn't get hot and the display is the biggest battery hog, I run up Firefox and the thing turns noticeably hot and Firefox overtakes the display for battery usage.
So, are there more exploits for iOS out there? I had the impression that Android has more. Also, this particular one is a browser JavaScript problem that affects multiple android versions, is it not?
> So, are there more exploits for iOS out there? I had the impression that Android has more.
But that was his point - he was referring to Nexus-only (or CyanogenMod), not "Android", where 87% of the devices are vulnerable to least one of the 11 vulnerabilities tested below, because of their lack of (fast) updates:
He said:
a frequently updated Android distribution (Nexus or CyanogenMod) might in fact be more secure than iOS, where you are forced to be vulnerable to Apple's Webkit engine.
I took that to mean that Apple devices are more vulnerable because they are infrequently updated, as compared to Android. Google and its partners do release fairly frequent (every 3-4 months) dot releases of webkit, Chrome, and the entire OS, to add features and address vulnerabilities.
By contrast, Apple's release schedule is rather monolithic and their superior security is based on a more tightly controlled platform.
Android has more if you're on the bleeding edge and installing fart apps.
if you're on 4.4 with Firefox+no script you're fine. IOS won't let you have a setup like that...
Play Services have a way to install applications in the background (http://stackoverflow.com/questions/23695170/how-to-install-a...) that does a signature check, and refuse to work if the request didn't come from a Google App. Maybe they found a way to call that from Chrome's v8?
What makes me think so is that they claim to have installed a "BMX Game" (which I guess is on the Play Store), and I don't see any claim of it being automatically launched after the installation (Android >2.3 should block that).
That would be much better for Android than the alternatives. As far as I can tell, applications can only install stuff in the background if they are system applications (live into some /system subfolder, which Chrome does when preinstalled/installed from a GAPPS package) AND declade the "INSTALL_PACKAGES" permission in their manifest (Chrome doesn't).
That should be the only way, apart from getting root (but I guess they would have just said "we got root" then).
EDIT: Obviously all of this is just a guess. I'm just happy that there is no Chrome on my phone :) (but the WebView on Android 5.1 is based on Chromium - so i wonder if that's exploitable as well?)
Wouldn't Chrome be able to auto login on the play store website and click the install button there? There have been XSS attacks on the play store website allowing this before.
Edit: I had this in mind https://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-p...
i never understood why even tech ppl are OK using phones like clueless people used computers in the 90s.
vendor toolbars and bundled applications? check. saved logins on banks and everything else? check. no firewall? check. ads everywhere? check.
get your crap together, everyone.
Do you know people who actually do this? I'm deeply uncomfortable when I get a new phone that doesn't have a CM / custom ROM out yet, because I need to be able to lock everything down myself. I assumed other tech literates did the same.
Really? I am the exact opposite. Few years ago I would always run a custom firmware on my android phone, now I wouldn't touch a rooted phone with a bargepole. Mostly because none of my bank apps work on rooted phones, but also because CM was always an unstable affair for me - fantastic at the beginning, more and more annoying the longer I use it. The "customization"(which I used once to change some icons) is simply not worth the loss of stability.
you run your devices without any care for all the background datamining, constant analytics, access to your PII, facebook social graph etc.? you oughta'be ashamed of yourself.
Even by Android standards, this is pretty shocking.
Being that this a one-shot exploit that the author believes will work on any Android with the latest Chrome makes it doubly so.
I'd also be more concerned that the exploit is described as targeting V8 specifically, considering how widely it is being used out of the browser these days.
Browsers are likely the only place people are using v8 to run arbitrary hostile code.
Not too surprising, considering the level of complexity in a modern browser and javascript engine I suppose. I wonder if the next generation of phone operating systems will have something more akin to a true exo or micro kernel to help mitigate these sorts of attacks.
iOS and Windows Phone architecture are already much better than Android in this regard.
Also Symbian had a relatively good security architecture, with its micro-kernel and the permissions model introduced in S60 v3.
Android security lags behind, because Google doesn't want to force OEMs and providers to provide updates. Additionally the OS architecture makes it pretty easy to extract an APK and reverse engineer it, even if written with the NDK.
But in any case, the best exploits are social and there isn't any help there.
Most of the users get p0wned trying to find stuff for free in dubious sites, and installing it, instead of paying for the real deal.
> Android security lags behind, because Google doesn't want to force OEMs and providers to provide updates.
What do OEM updates have to do with a security hole in Chrome? Despite all the merger chatter, Chrome isn't an OS-level part Android the way it is with ChromeOS.
The exploit sounds serious, but once the Chrome team understands it and comes up with a fix, all Google needs to do to deploy it is publish a new version of Chrome on the Play Store. I suppose they could add a nudge or two via Play Services (or otherwise) if people aren't installing the new version, but, in any case, that's nowhere near the effort required to get an OS update out (and neither OEMs nor carriers can block the fix).
First of all, I was replying to " I wonder if the next generation of phone operating systems will have something more akin to a true exo or micro kernel to help mitigate these sorts of attacks."
Second, most mobile users use whatever app is labeled as "Internet" on their phones and tablets. Only savy users get to install Chrome.
Third, anyone using an Android system older than Lollipop won't get WebView updates.
So on those devices a Chrome update is indeed an OS update.
>Google doesn't want to force OEMs and providers to provide updates
I think you're assuming a lot about the relationship's power dynamics and what contracts are at play that may have been written quite a while ago. Also forgetting that more often than not it's the telco that's blocking or bottlenecking updates. The reason Apple was able to do what it did is because they provided the software and hardware and were able to leverage the demand for it against the likes of Verizon (probably the most notorious blocker of updates no matter how critical they might be).
I used to work for a famous Finn company with seat in Espoo.
Wink, wink. I suppose that's about my first point though. What about the second?
They just needed to change the license how licensees are allowed to use Android.
If OEMs or Telcos would loose the legal right to ship phones with Android if the updates weren't provided within a specific SLA, then they surely would comply.
As an example how to put telcos in line, in the early days that mobiles started shipping with wlan support, Vodafone tried to sell N95 with wlan and VoIP support disabled on their firmware. Eventually they had to provide a full working N95, if I remember correctly.
I doubt that nowadays they would go back to develop their own OSes.
How does reverse engineer affect security?
Allows to expose security flaws in existing code?
But you can exploit even if you don't know the source right? Harder i suppose.
Does Google Chrome have a sandbox on Android?
Also does chrome auto update on Android?
Will this impact NodeJS which is built on the V8 engine?
I doubt it. It likely requires running a specialized script, and if you are running arbitrary JS on your NodeJS server/app you are already in trouble.
Happy Android and Firefox user calling in.
My Nexus is still safe :)
I'm also using Firefox on Android (because it is the only mobile browser that supports extensions).
However, the desktop Firefox regularly tops my 'Apps using significant energy' list, even when idling.
Fwiw, the significant energy usage list on OSX corresponds pretty poorly with real world results. Safari is the most efficient, and Firefox is actually slightly better than Chrome.
What does the OS X Activity Monitor’s “Energy Impact” actually measure? | Nicholas Nethercote https://blog.mozilla.org/nnethercote/2015/08/26/what-does-th...
Chrome vs Safari vs Firefox web browser efficiency http://blog.getbatterybox.com/which-browser-is-the-most-ener...
Thanks for the links, especially the Nicholas Nethercotes' blog is very interesting.
To be fair, Google is working on the Chrome efficiency: https://plus.google.com/+PeterKasting/posts/GpL63A1K2TF
What is the logic to responding to security disclosures like this? In the reddit world this is called shit posting. Security bug A affects product B (or c-f) someone always responds at least I use g or h on z! Thus, I am immune from this particular security issue! Genuinely interested in why anyone bothers posting this non-sense.
It may come off as shit-posting, but I decided to reply as I did to highlight something important:
On Android anyone can implement a browser, have users download it, and make it the system default. On Android you don't need to end up with a Google monoculture, like you on iOS do have to accept the Apple monoculture.
The bug report says "all Android devices affected", which is factually incorrect. Mine never was, because mine never ran Chrome in the first place. And this was a Chrome bug.
On Android users have a choice. Whoever wrote this article does not seem understand that, nor the implications of it.
Thus my post. Does that sound more reasonable?
Can you cite "all Android devices affected"? Cannot find this particular quote in this or any other article. Also what bug report? I found this article and other articles cited, but no bug report from Google or the researcher as of yet.
The article does state "The vuln being in recent version of Chrome should work on all Android phones;" which is factually correct.
This is a "Chrome" bug in so much as the Chrome browser uses the V8 Javascript engine. However, this particular bug could have other consequences as it is stated in this article and others that the bug in fact occurs in the V8 Javascript Engine which is used in Nodejs, Mongo and others.
So, no, none of your comments sound reasonable.
All browsers have vulnerabilities.