Android owners urged to switch off MMS after Stagefright scare

29 Jul 2015
Turn off MMS to mitigate Stagefright flaw

Android users are being warned to switch off the MMS (Multimedia Messaging Service) features on their phone following the discovery of the Stagefright exploit that has left up to 95 percent of all Android devices open to attack by hackers.

Simon Mullis, global technical leader at FireEye, told V3 that the flaw is very serious and that individuals and businesses must be aware of the threat.

“The sheer range and number of devices and therefore end-users affected, and the fact that no user interaction is required to become compromised, make this a very serious set of vulnerabilities indeed,” he said.

“Stagefright represents significant risk to the individual end-user. The contents of your phone are ripe for abuse (think photos, camera, contacts etc). It represents a more significant risk to organisations that allow BYOD free-run on their networks.”

Mullis added that, given patches are unlikely to arrive any time soon, users should switch off MMS to reduce the risk.

“The final straw is that it’s estimated that this has been around for five years. You can be sure that phone makers are hurriedly releasing patches for this as soon as they can. In the meantime, maybe you should switch off all MMS,” he said.

Meanwhile, Jeremiah Grossman, founder and CTO of WhiteHat Security, warned that Stagefright has the potential to create “a fast spreading worm” which would be a first for mobile platforms.

Grossman also noted that Google’s inability to roll out a blanket fix for the problem further increases the risk to device owners.

“What’s challenging here is that each Android handset manufacturer has to deploy their own patch, even though Google has already updated the main Android codebase to fix the issue,” he said.

“Many Android handset manufactures don’t have the best reputation for making the latest and greatest security patches available, quickly or ever. So, odds are, there are going to be a lot of vulnerable Android phones for quite some time.”

Furthermore, Ken Westin, senior security analyst at Tripwire, noted that older devices may not receive a fix at all.

“This particular vulnerability is also very widespread, going back to Android version 2.2 which was released five years ago. Some of these devices may not have patches available through their carriers as their devices are too old and no longer supported, he said.

“Consumers can stop using the Hangouts messaging app to mitigate some of the risks, but other than that they will need to wait for an update to be made available for their device.”

Google declined to comment when asked by V3 whether it has a timeline in place for a patch release to users.

The Stagefright vulnerability was uncovered by a security researcher at Zimperium Labs. The flaw affects almost all Android devices, putting some 950 million at risk.

Zimperium Labs explained in a blog post that the attack works by sending an MMS to a mobile containing a specially crafted media file. This can gain access to the Android source code without any user interaction.

“These vulnerabilities are extremely dangerous because they do not require the victim to take any action to be exploited,” the firm said.

“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. If Heartbleed from the PC era sends a chill down your spine, this is much worse.”

The image below from Zimperium shows how easily the attack can be carried out.

screen-shot-2015-07-28-at-10

Android hardware running versions prior to Jelly Bean, roughly 11 percent off all devices, are said to be the most at risk owing to a lack of recent software updates and maintenance.

Zimperium did not release specifics on how the attack works, but Joshua Drake, vice president of platform research and exploitation at the firm, who uncovered the flaw, will explain more at Black Hat USA on 5 August and Defcon 23 on 7 August.

Researchers at Zimporium, in collaboration with Google, released a patch on discovering the flaw and reported that Google applied the patches to internal code branches within 48 hours.

However the team warned that the patch rollout to consumers could be slow and that devices older than 18 months are unlikely to receive a patch at all.

A Google spokesperson told V3 the company is aware of the vulnerability.

“This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.”

“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat,” the spokesperson said.

Chris Wysopal, CTO at security company Veracode, said that the flaw is very serious, referring to it as “Heartbleed for mobile”.

“These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS,” he explained.

All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over.

“Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch.

“This would leave a big window for an attacker to reverse-engineer the first patch issued by whichever party to create an exploit that would impact any device.”

Security expert Graham Cluley also lamented the fact that users will be at risk until patch updates are pushed out.

“History, sadly, has often shown us that older Android devices are left stranded without an easy path for OS updates,” he said.

“This is a serious problem which, bearing in mind the regularity that critical security vulnerabilities are found in versions of Android, really needs to be fixed.”

Article taken from V3. View the original here: http://www.v3.co.uk/v3-uk/news/2419525/heartbleed-for-mobile-stagefright-android-security-flaw-puts-950-million-devices-at-risk