Tag Archives: Google Android

“Juice Jacking” remains a threat in 2017

While smartphones offer speedy access to the internet and convenient online access, the battery life of smartphones is a constant concern. Public phone charging stations at airports, on-board planes, public transport and parks are now available to help with this.

However; Authentic8 employee Drew Paik at the RSA security conference during the week of the 13th February 2017 highlighted the security risks associated with public charging points. He explained the data stored on the phone is potentially accessible to an attacker who provides a rogue charging station. An attacker may use this opportunity to steal your data or install malware. At the conference he installed a charging station at the Authentic8 booth and approximately 80% of people connected their phones without asking if the charging port was safe?

How can I protect myself from this threat?
As this linked to article highlights this vulnerability originates from 2011 (known as “juice jacking”) with 2016 debuting a similar vulnerability known as “video jacking”. Google Android phones provide a charge only option but Apple iPhones do not appear to offer this option.

If you are with mobile devices and wish to charge them safely you should use a portable USB battery pack or purchase USB cables which charge devices only rather than also allowing data access.

Thank you.

Protecting Your Smart TV From Ransomware

In mid-2016 a news article detailed the possibility for Android powered Smart TVs to be infected by ransomware. Last month that prediction came true.

To recover the affected TV, you should reset it to factory default settings. You may need to contact the manufacturer if they don’t provide the steps to perform the reset as part of the devices documentation.

With 2017 predicted to break the record set in 2016 for ransomware, occurrences such as this will likely become more common.

Unfortunately, TV manufacturers are unlikely to pre-harden vulnerable devices before shipping them due to compatibility concerns and increased costs (during manufacturing and later support costs). To increase use of their after sales service they are again unlikely to publish the key sequences or button presses to perform a factory reset.

The ransomware encountered by this software developer was “just” a screen locker. It didn’t also try to encrypt any connected USB drives. Separately, a Symantec security researcher published a helpful list of mitigations to protect against ransomware targeting Smart TVs.

Continuing the trend of protecting Internet of Things (IoT) devices (defined), I hope that you find the above mitigations useful. Please also refer to this previous blog post for more general advice on preventing ransomware infections on your everyday computing devices (non IoT devices).

Thank you.

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

================================
In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
================================
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.

Google Releases Security Updates for Android (April 2016)

In the first week of April; Google made available a scheduled security update for their Android smartphone operating system. Android devices with a security patch level of April 2, 2016 include all of the fixes within Google’s most recent security advisory.

The April updates resolve 39 security vulnerabilities more formally known as CVEs (defined) of the following severities:

====================
15x critical severity CVEs
16x high severity CVEs
8x moderate severity CVEs
====================

Why Should These Issues Be Considered Important?
On the 18th of March Google released an out of band (unscheduled) security update to resolve a local elevation of privilege (defined) vulnerability.

This vulnerability was present in the Android kernel (defined). This issue was used in a public exploit against a Google Nexus 5 and was detected by security firm Zimperium who then reported it to Google on March 15th.

This issue was assigned a critical severity rating since it escalates privileges on a vulnerable Android device which can lead to arbitrary code execution (instructions of an attacker choice can be carried out) as well as permanently compromising the device (which can only be resolved by re-flashing the device as described in a previous blog post).

Other critical issues resolved by this update were present in the DHCP (defined) service known as DHCPCD. This could have been exploited by an installed malicious app allowing an attacker to run (carry out) arbitrary code execution. The remaining critical issues involved the Qualcomm Performance Module and RF driver (defined). Exploitation would have allowed an attacker to run code with the same privileges as the Android kernel. Both of these issues if exploited would require re-flashing an affected device since they lead to a permanent device compromise.

Finally, 13 issues (of critical and high severity) that are related to the previous Stagefright vulnerabilities were also resolved. These vulnerabilities continue to arise due to the increased attention towards the MediaServer component of Android from security researchers after last year’s disclosure of the original Stagefright issue.


How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 4th of April 2016. Manufacturers such as Samsung/LG etc. received these updates on the 16th of March.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

In my previous post discussing Android security updates; I mentioned that a single update to my Sony smartphone was made available on the 8th of March. At the time of writing I still have not received this update. As before, I hope that you are more successful with your phone receiving the appropriate update as soon as possible.

Thank you.

Google Releases Security Updates for Android (Feb and March 2016)

On the 7th of March Google released their scheduled security updates for their Android smartphone operating system. That update brings Androids build number to version LMY49H While Android version 6.0 (known as Marshmallow) with Security Patch Level of March 1, 2016 includes the appropriate fixes.

The March updates resolves 19 security vulnerabilities more formally known as CVEs (defined) of the following severities:

====================
7x critical severity CVEs
10x high severity CVEs
2x moderate severity CVEs
====================

Moreover, the previous February updates addresses 13 with the following severities:
====================
7x critical severity CVEs
4x high severity CVEs
2x moderate severity CVEs
====================

That update brings Androids build number to version LMY49G While Android version 6.0 (known as Marshmallow) with Security Patch Level of February 1, 2016 includes the appropriate fixes.

Why Should These Issues Be Considered Important?
For the March update 2 critical vulnerabilities in Mediaserver were fixed that could have allowed an attacker to use email, web browsing or an MMS message (defined) to process media files that would have allowed them to achieve remote code execution (namely to carry out any instructions/actions of their choice). The attacker would only have had to know the victim’s phone number.

Other notable flaws are the Elevation of Privilege in Conscrypt that could allow an attacker to use an invalid digital certificate allowing them to carry out a man-in-the-middle attack (defined).

The critical issue in the Qualcomm Performance Component if exploited would allow an attacker to run code with the privileges of the Android kernel (defined). The same was true of the Kernel Keyring bug. Android version 5.0 and above are however not vulnerable to this flaw if an attempt to exploit comes from 3rd party apps. If these flaws were to be exploited a manual re-flashing (defined) of the operating system would be required to recover from them.

Within the February update a critical issue in the Broadcom Wi-Fi Driver was fixed that could have been exploited by an attacker on the same Wi-Fi network by sending a malicious wireless control message packet (defined) to the phone which would not require any input from the user. The attacker could then run code with the same privileges as the Android kernel. Other critical and high vulnerabilities in the Qualcomm driver and Wi-Fi component respectively could have been exploited by an installed app to run code (have instructions carried out) with system privileges (defined).

How Can I Protect Myself From These Issues?
Updates to resolve these issues were made available by Google on 1st of February 2016 and the 7th of March 2016. Manufacturers such as Samsung/LG etc. received these updates on the 4th of January and 1st February respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

You may recall that I discussed the security update process for my Android phone in a previous blog post. An update has been made available by Sony, it’s dated the 8th of March 2016 (notably it’s still Android version 5.0 rather than 6.0). My phone is still using a build of Android from October 2015. I am hopeful to receive this update by the end of the month or very soon afterwards. Sony ‘s website provides release notes for the update which state that it includes “The latest security enhancements”.

Given that Google have released preview versions of the successor to Android version 6.0 (Marshmallow) known as “Nutella” sooner than expected it’s unclear whether Sony will update my phone in the future to Marshmallow or Nutella or simply end-of-life my phone in favor of a newer model. I will update post should my phone receive an update in the near future.

Thank you.

Google Releases Security Updates for Android

In early December 2015 and January 2016 Google made available further security updates for their Android smartphone operating system.

The December update addresses 16 security issues (all of which have been assigned CVE numbers (defined)(4x critical severity, 10x high severity and 2x moderate severity). That update brings Androids build number to version LMY48Z Android version 6.0 (known as Marshmallow) with Security Patch Level of December 1, 2015 or later address these issues. This update includes 2 fixes for security issues within libstagefright (both high severity) and 1 issue within both the Mediaserver (critical severity) and Media Framework (high severity) components.

Meanwhile the January update resolves 12 security issues (all assigned CVE numbers). That update when installed will show build version LMY49F As before, Android version 6.0 (known as Marshmallow) with Security Patch Level of January 1, 2016 or later address these issues. This update includes a fix for a critical issue in the Mediaserver component.

Why Should These Issues Be Considered Important?
As part of the December update a critical issue within Mediaserver was resolved that could be exploited by a remote attacker to allow them to carry out any instructions/actions of their choice (remote code execution). 3rd party applications could then be used to carry out the attacker’s actions with high privileges that they wouldn’t otherwise have. The issue can be exploited by sending specifically crafted media files within MMS messages (defined) or displaying those files on a specifically crafted webpage. Similar critical issues (3 in total) in the Skia graphics engine and Display driver can also use the above 2 means of attack mentioned above in addition to email. The final critical issue would have allowed malicious apps to carry out actions with root privilege (defined) allowing them full control over the smartphone.

For the January update if the MediaServer issue was exploited it could allow an attacker to use any emails, websites or MMS messages containing specifically crafted media files to remotely execute code (i.e. instructions or actions of their choice) due to a memory corruption issue corrected in this update. In addition, the critical issues corrected in the Display Driver (which interacts with high privilege with kernel) and the Android kernel (defined) are serious since the kernel can control any piece of the phones hardware and since it’s the core of the Android operating system it can be used to carry out any action/step since it has the highest level of privilege within the operating system.


How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 7th of December 2015 and 4th of January 2016. Manufacturers such as Samsung/LG etc. received these updates on the 2nd of November and the 7th of December respectively.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

====
I followed this advice with my very recently purchased Sony smartphone which currently runs Android 5.0 (Lollipop). The Sony website shows that the latest build of Android they offer is already installed on my phone. The build is dated October 2015 (not shown in the image below). They do however show a logo below the build number that appears to suggest that at some time in the future the phone will receive Android 6.0 (Marshmallow). I have attached the image below:

Sony_Update

====
The “Android” name, the Android logo, and other trademarks are property of Google Inc.
Copyright © 2011-2016 Sony Mobile Communications Inc. All rights reserved
====

I also contacted my network carrier and they stated that the device can run these updated versions of Android and that there is no reason why it wouldn’t have received such updates (assuming auto-updates hasn’t been turned off). As I said it appears that I received such updates up to October 2015 (I purchased the phone in November). They stated that Marshmallow will be rolled out in the future but no other details were provided. Neither of these answers are perfect and clearly demonstrate that while updates are being made available by Google and are being provided to the mobile carriers the update process (being used by the mobile carriers) needs to be streamlined for much faster deployment. I hope that you have better luck than I did.

Thank you.

Cisco Issues Security Update to WebEx Android App

Last week Cisco issued a security update for their WebEx Meetings Android App to resolve a severe permissions issue.

Why Should This Issue Be Considered Important?

This is a serious security issue that could lead to information disclosure and an elevation of privilege (defined) attack. It’s present in all versions of the app that are older than version 8.5.1. As Cisco discusses in it’s security advisory this issue could be exploited by a remote attacker with no previous access to the app by tricking the user of the smartphone into downloading another app that exploits this issue within the WebEx app. If this were to happen any information and permissions/access that the WebEx app has will be then available to the malicious app.

In addition, there are no workarounds for this issue. At this time Cisco has not seen any evidence to show that this issue has been used by attackers.

How Can I Protect Myself From This Issue?
Cisco have released an updated version of the WebEx app to address this issue. The updated app is available from this link (Google Play Store). Graham Cluley’s blog post also contains one piece of further important advice to stay safe when downloading apps or app updates.

Thank you.