Stories
Slash Boxes
Comments

SoylentNews is people

New Vulnerabilities Affect Over 900 Million Android Devices, Enable Complete Control of Devices

posted by janrinok on Monday August 08 2016, @06:49PM   Printer-friendly
from the oops dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

QuadRooter Android vulnerabilities affect devices that are built on the Qualcomm chipset, a supplier of 80% of the chipsets in the Android ecosystem. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device, enabling them to change or remove system-level files, delete or add apps, and access the device's screen, camera or microphone.

Source: https://www.helpnetsecurity.com/2016/08/08/quadrooter-android-vulnerabilities/

Original Submission

 
This discussion has been archived. No new comments can be posted.
New Vulnerabilities Affect Over 900 Million Android Devices, Enable Complete Control of Devices | Log In/Create an Account | Top | 19 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by pendorbound on Monday August 08 2016, @07:03PM

    by pendorbound (2688) on Monday August 08 2016, @07:03PM (#385419) Homepage

    "Over 900 million Android devices are now rootable, with a bit of work."

    • (Score: 2) by bob_super on Monday August 08 2016, @07:11PM

      by bob_super (1357) on Monday August 08 2016, @07:11PM (#385422)

      "Crap, Four of my [redacted] list may get closed on the 2% of devices which do get updates"

  • (Score: 2) by dltaylor on Monday August 08 2016, @09:07PM

    by dltaylor (4693) on Monday August 08 2016, @09:07PM (#385458)

    HTC's tool for "ROM" firmware removal first wipes all data and settings, which take a lot of work to restore. If I could get a back-door root access through ssh, or something, then I could remove the crapware without disturbing the data I wish to preserve (mostly address book and text messages; I've offloaded all of the pictures).

    • (Score: 2) by NCommander on Monday August 08 2016, @10:02PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday August 08 2016, @10:02PM (#385491) Homepage Journal

      And that's why this sort of shit is bad. Because if you can break in, someone else can. Root your phone before using it seriously to avoid this kind of pain.

      I will never understand why when a iOS jailbreak in userland comes along people go "yay" when the right response should be "oh shit"

      --
      Still always moving

      • (Score: 1, Insightful) by Anonymous Coward on Monday August 08 2016, @10:11PM

        by Anonymous Coward on Monday August 08 2016, @10:11PM (#385501)

        I will never understand why when a iOS jailbreak in userland comes along people go "yay" when the right response should be "oh shit"

        Because the reality is that for the people in question the chances of a hacker pwning their phone isn't actually that high while Apple/Google has already pwned their phone. Stuff like jailbreak lets those people pwn their own phone.

      • (Score: 2) by bob_super on Tuesday August 09 2016, @12:25AM

        by bob_super (1357) on Tuesday August 09 2016, @12:25AM (#385557)

        Meanwhile, my bank keeps nagging me about using their wonderful app ...

  • (Score: 1, Insightful) by Anonymous Coward on Monday August 08 2016, @09:16PM

    by Anonymous Coward on Monday August 08 2016, @09:16PM (#385466)

    There goes all of India. And China.

    How did we get a Linux based OS to be like the next Windoze?

    • (Score: 2) by Hyperturtle on Monday August 08 2016, @09:38PM

      by Hyperturtle (2824) on Monday August 08 2016, @09:38PM (#385479)

      Well... if you got what you paid for with Android, I hope the hardware is good.

    • (Score: 2) by LoRdTAW on Monday August 08 2016, @10:25PM

      by LoRdTAW (3755) on Monday August 08 2016, @10:25PM (#385511) Journal

      How did we get a Linux based OS to be like the next Windoze?

      Shit userspace engineering. Redhat/Linux and Android/Linux are the two biggest turds spoiling the Linux ecosystem.

    • (Score: 2) by stormwyrm on Monday August 08 2016, @11:48PM

      by stormwyrm (717) on Monday August 08 2016, @11:48PM (#385545) Journal
      By leaving updates up to manufacturers whose best interest is in getting you to buy their next new and shiny, removing any incentive for them to update the devices you buy from them to fix vulnerabilities like this. Google could mandate that anyone who wants to use the Android trademark to describe their devices must provide updates for at least two years, and that might mitigate the issue, but I don't know that if they did this it would go over well. Google seems to be in matters like this at the mercy of the larger manufacturers like Samsung, who would, I think, just give Google the middle finger and stop describing their phones as Android phones if they tried to pull something like this, or migrate all their devices to Tizen out of spite.
      --
      Numquam ponenda est pluralitas sine necessitate.

    • (Score: 3, Informative) by choose another one on Tuesday August 09 2016, @11:22AM

      by choose another one (515) Subscriber Badge on Tuesday August 09 2016, @11:22AM (#385718)

      How did we get a Linux based OS to be like the next Windoze?

      By winning the popularity contest and making it the biggest target.

      For years some people have been saying that Linux was inherently more secure than Windows by design - they are (and were) wrong.

      The relative amount of malware and vulnerabilities for Linux and Windows on the desktop reflects the relative popularity - nothing more. On phones the situation is reversed, and lo and behold Windows Phone is really secure, because... no one cares.

      [There is a dissenting opinion, e.g. http://betanews.com/2015/06/11/windows-phone-security-is-top-notch-says-kaspersky/ [betanews.com] , which implies that MS is actually better at security than Linux but we'll ignore that because open source just can't be less secure than proprietary by design...]

    • (Score: 0) by Anonymous Coward on Tuesday August 09 2016, @04:03PM

      by Anonymous Coward on Tuesday August 09 2016, @04:03PM (#385812)

      Thanks to Redhat and Pottering, I've been saying that about Linux in general.

  • (Score: 2) by Celestial on Monday August 08 2016, @11:46PM

    by Celestial (4891) on Monday August 08 2016, @11:46PM (#385544) Journal

    That Windows 10 Mobile actually made a dent in the mobile market. Then it would be two out of three mobile operating systems that actually gets timely software updates, and would maybe... just maybe... give Google, Samsung, LG, et al. the push it needs to actually update the software on Android smartphones once in a while. As it is now, there just is no incentive for them to do so. "Phone out of date? That'll be $600 for a new phone, please."

    • (Score: 0) by Anonymous Coward on Monday August 08 2016, @11:53PM

      by Anonymous Coward on Monday August 08 2016, @11:53PM (#385549)

      As it is now, there just is no incentive for them to do so

      Because no one wants that shit on their phone.

    • (Score: 1) by claywar on Tuesday August 09 2016, @12:37AM

      by claywar (3069) on Tuesday August 09 2016, @12:37AM (#385565)

      The software is being updated, however the real issue is that vendors don't feel the need to push those updates. I agree that at certain breakpoints, old hardware should not receive functional upgrades, however security is a completely different matter.

    • (Score: 2) by joshuajon on Tuesday August 09 2016, @08:43PM

      by joshuajon (807) on Tuesday August 09 2016, @08:43PM (#385943)

      Google does update their software. Nexus phones get at least a monthly security update, and other updates periodically as well. It's the vendors that drag their feet because they don't want to have to test every update against their shitty customizations and bloatware.

  • (Score: 2) by NotSanguine on Tuesday August 09 2016, @07:52AM

    by NotSanguine (285) <reversethis-{grO ... a} {eniugnaStoN}> on Tuesday August 09 2016, @07:52AM (#385679) Homepage Journal

    A better article on this issue is at Threatpost [threatpost.com].
    CVE: 2016-5340 [mitre.org]

    More detail on the vulnerability can be found here:
    https://www.codeaurora.org/invalid-path-check-ashmem-memory-file-cve-2016-5340 [codeaurora.org]

    Patch can be found here:
    https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6 [codeaurora.org]

    Note that while un-patched devices are vulnerable, exploitation requires that you (or someone in possession of your device) installs a malicious app.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr

  • (Score: 0) by Anonymous Coward on Tuesday August 09 2016, @02:02PM

    by Anonymous Coward on Tuesday August 09 2016, @02:02PM (#385755)

    If you don't root your phone, somebody else will.