|
||||||||
StageFright Flaw/Bug |
![]() |
|
|
Thread Tools | Search this Thread |
|
|
#1 |
|
Forum Member
Join Date: Oct 2005
Posts: 15,308
|
StageFright Flaw/Bug
Hi,
First read about the Stagefright flaw in Android OS June of this year, bacicaly this flaw/bug can allow a hacker to take control of your Android phone via an infected MMS and apparently you wouldn't even know about it allowing a hacker in at system level on your phone. This bug is being taken very seriously. Zimperium, who discovered the flaw, recently made available a Stagefright Detector app that could be downloaded, www.snipca.com/17949 to your Android device. Once downloaded, run the app and it will analyse your device and tell you if you are vulnerable to such an attack. For Samsung phones there is a patch supplied within the above download that allows owners to switch off MMS for some versions of the Android OS, a weakness for this kind of attack if I understand correctly. When I downloaded the Detector App on to my Galaxy Note 3 it revealed my phone was vulnerable giving me 6 CVE warnings, 5 in red one in green. Presumably the one in green means the phone is not vulnerable to a particular attack but the rest means the phone still is. My phone is still running Android Version 4.4.2, I could upgrade to Lollypop 5 but I believe there are issues with this version so am waiting for LP 5.1.1 should it be available. However StageFright could attack these versions of the OS. Unfortunately the detector app gives no clear instructions how to further resolve the above vulnerabilities shown on my phone and I was wondering if anyone could advise? |
|
|
|
|
Please sign in or register to remove this advertisement.
|
|
|
#2 |
|
Forum Member
Join Date: May 2002
Location: Crystal Palace TX
Posts: 19,702
|
Almost all Android devices are vulnerable to this. Just disable MMS on your phone, and you're unlikely to have any problems.
|
|
|
|
|
#3 |
|
Forum Member
Join Date: Mar 2000
Location: This forum
Posts: 3,392
|
Quote:
Unfortunately the detector app gives no clear instructions how to further resolve the above vulnerabilities shown on my phone and I was wondering if anyone could advise?
What Stagefright shows is that Google didn't design a proper patch management system into Android. They left it up to each vendor and the vendors don't care once they've sold you a phone. (I mean Samsung, HTC, Motorola etc, not EE, Vodafone, O2). Google are to blame, and in my view, this is the tip of the iceberg for Android. All IT systems connected to the internet need to be patchable. |
|
|
|
|
|
#4 |
|
Forum Member
Join Date: Sep 2003
Location: Bristol (BBC1 West)
Posts: 15,143
|
Quote:
Google are to blame, and in my view, this is the tip of the iceberg for Android. All IT systems connected to the internet need to be patchable.
Unfortunately, like most consumer electronics devices, the manufacturers don't have any reason to release updates for anything other than their current models. |
|
|
|
|
#5 |
|
Forum Member
Join Date: Oct 2005
Posts: 15,308
|
Quote:
Almost all Android devices are vulnerable to this. Just disable MMS on your phone, and you're unlikely to have any problems.
I have disabled MMS but what are the CVEs in red and what can I do about them and how do I go about doing it? |
|
|
|
|
|
#6 |
|
Forum Member
Join Date: Mar 2000
Location: This forum
Posts: 3,392
|
Quote:
Thanks,
I have disabled MMS but what are the CVEs in red and what can I do about them and how do I go about doing it? |
|
|
|
|
|
#7 |
|
Forum Member
Join Date: Mar 2000
Location: This forum
Posts: 3,392
|
Quote:
Android is completely patchable. It's down to manufacturers to get updates out to users.
Its been shown not to work for the major updates, lots of Android handsets never get any updates! Quote:
Unfortunately, like most consumer electronics devices, the manufacturers don't have any reason to release updates for anything other than their current models.
Not really the case, but Windows, Linux and Mac computers have had updates for over 10 years. Phones are just small computers running an operating system. Google were inexperienced and didn't realise what they were doing.Even your Sky+HD or Virgin Media box gets updated automatically over the 'air'. |
|
|
|
|
|
#8 |
|
Forum Member
Join Date: Sep 2003
Location: Bristol (BBC1 West)
Posts: 15,143
|
Quote:
And that is the problem. Imaging buying a Windows PC in PCWorld or John Lewis and having to wait for PCWorld to review the patch from Microsoft and then your broadband supplier to push it to your computer? It would never work.
Its been shown not to work for the major updates, lots of Android handsets never get any updates! Not really the case, but Windows, Linux and Mac computers have had updates for over 10 years. Phones are just small computers running an operating system. Google were inexperienced and didn't realise what they were doing. Even your Sky+HD or Virgin Media box gets updated automatically over the 'air'. How can you make an open source operating system that imposes mandatory software updates on vendors? It's just not possible. |
|
|
|
|
#9 |
|
Forum Member
Join Date: Mar 2000
Location: This forum
Posts: 3,392
|
Quote:
I don't see you suggesting a solution.
How can you make an open source operating system that imposes mandatory software updates on vendors? It's just not possible. The solution is for google to deliver updates directly, and bypass the lack of money in the vendor chain. Like windows update. |
|
|
|
|
|
#10 |
|
Forum Member
Join Date: Sep 2003
Location: Bristol (BBC1 West)
Posts: 15,143
|
Quote:
Android isn't open source; that is a wish, not reality. The AOSP kernel is open source, but the Play Services and Google apps are not - and unless you're in China, try selling an 'Android' device without these (or Amazon's apps).
The solution is for google to deliver updates directly, and bypass the lack of money in the vendor chain. Like windows update. The parts that aren't open source are updated by Google, directly (through the Play Store). (This is what you think should happen). The parts that are open source aren't updated in that way. |
|
|
|
|
#11 |
|
Forum Member
Join Date: Jul 2002
Posts: 1,458
|
As the manufacturers have modified Android for their phones - they have built a new OS that can only be patched by themselves.
I dont consider it Google problems really - My nexus gets updated pretty quick, Samsung and HTC etc should be doing the same instead of abandoning their products after release. |
|
|
|
|
|
#12 |
|
Forum Member
Join Date: Oct 2005
Posts: 15,308
|
Quote:
You can't do anything about them - your vendor has to release a software update to close the holes.
|
|
|
|
![]() |
|
All times are GMT. The time now is 05:01.


