• TV
  • MOVIES
  • MUSIC
  • SHOWBIZ
  • SOAPS
  • GAMING
  • TECH
  • FORUMS
  • Follow
    • Follow
    • facebook
    • twitter
    • google+
    • instagram
    • youtube
Hearst Corporation
  • TV
  • MOVIES
  • MUSIC
  • SHOWBIZ
  • SOAPS
  • GAMING
  • TECH
  • FORUMS
Forums
  • Register
  • Login
  • Forums
  • Gadgets
  • Mobile Phones
StageFright Flaw/Bug
seacam
06-10-2015
Hi,

First read about the Stagefright flaw in Android OS June of this year, bacicaly this flaw/bug can allow a hacker to take control of your Android phone via an infected MMS and apparently you wouldn't even know about it allowing a hacker in at system level on your phone. This bug is being taken very seriously.

Zimperium, who discovered the flaw, recently made available a Stagefright Detector app that could be downloaded, www.snipca.com/17949 to your Android device.

Once downloaded, run the app and it will analyse your device and tell you if you are vulnerable to such an attack.

For Samsung phones there is a patch supplied within the above download that allows owners to switch off MMS for some versions of the Android OS, a weakness for this kind of attack if I understand correctly.

When I downloaded the Detector App on to my Galaxy Note 3 it revealed my phone was vulnerable giving me 6 CVE warnings, 5 in red one in green.

Presumably the one in green means the phone is not vulnerable to a particular attack but the rest means the phone still is.

My phone is still running Android Version 4.4.2, I could upgrade to Lollypop 5 but I believe there are issues with this version so am waiting for LP 5.1.1 should it be available.

However StageFright could attack these versions of the OS.

Unfortunately the detector app gives no clear instructions how to further resolve the above vulnerabilities shown on my phone and I was wondering if anyone could advise?
psionic
06-10-2015
Almost all Android devices are vulnerable to this. Just disable MMS on your phone, and you're unlikely to have any problems.
jchamier
06-10-2015
Originally Posted by seacam:
“Unfortunately the detector app gives no clear instructions how to further resolve the above vulnerabilities shown on my phone and I was wondering if anyone could advise?”

Stagefright is a big problem for Android. Google have patched but the vendors are still rolling out patches incredibly slowly. Stagefright doesn't just affect MMS, it also affects video, pictures, and the files in the 2.0 version of the bug.

What Stagefright shows is that Google didn't design a proper patch management system into Android. They left it up to each vendor and the vendors don't care once they've sold you a phone. (I mean Samsung, HTC, Motorola etc, not EE, Vodafone, O2).

Google are to blame, and in my view, this is the tip of the iceberg for Android. All IT systems connected to the internet need to be patchable.
Daveoc64
06-10-2015
Originally Posted by jchamier:
“Google are to blame, and in my view, this is the tip of the iceberg for Android. All IT systems connected to the internet need to be patchable.”

Android is completely patchable. It's down to manufacturers to get updates out to users.

Unfortunately, like most consumer electronics devices, the manufacturers don't have any reason to release updates for anything other than their current models.
seacam
06-10-2015
Originally Posted by psionic:
“Almost all Android devices are vulnerable to this. Just disable MMS on your phone, and you're unlikely to have any problems.”

Thanks,

I have disabled MMS but what are the CVEs in red and what can I do about them and how do I go about doing it?
jchamier
06-10-2015
Originally Posted by seacam:
“Thanks,

I have disabled MMS but what are the CVEs in red and what can I do about them and how do I go about doing it?”

You can't do anything about them - your vendor has to release a software update to close the holes.
jchamier
06-10-2015
Originally Posted by Daveoc64:
“Android is completely patchable. It's down to manufacturers to get updates out to users.”

And that is the problem. Imaging buying a Windows PC in PCWorld or John Lewis and having to wait for PCWorld to review the patch from Microsoft and then your broadband supplier to push it to your computer? It would never work.

Its been shown not to work for the major updates, lots of Android handsets never get any updates!

Quote:
“Unfortunately, like most consumer electronics devices, the manufacturers don't have any reason to release updates for anything other than their current models.”

Not really the case, but Windows, Linux and Mac computers have had updates for over 10 years. Phones are just small computers running an operating system. Google were inexperienced and didn't realise what they were doing.

Even your Sky+HD or Virgin Media box gets updated automatically over the 'air'.
Daveoc64
06-10-2015
Originally Posted by jchamier:
“And that is the problem. Imaging buying a Windows PC in PCWorld or John Lewis and having to wait for PCWorld to review the patch from Microsoft and then your broadband supplier to push it to your computer? It would never work.

Its been shown not to work for the major updates, lots of Android handsets never get any updates!



Not really the case, but Windows, Linux and Mac computers have had updates for over 10 years. Phones are just small computers running an operating system. Google were inexperienced and didn't realise what they were doing.

Even your Sky+HD or Virgin Media box gets updated automatically over the 'air'.”

I don't see you suggesting a solution.

How can you make an open source operating system that imposes mandatory software updates on vendors?

It's just not possible.
jchamier
07-10-2015
Originally Posted by Daveoc64:
“I don't see you suggesting a solution.

How can you make an open source operating system that imposes mandatory software updates on vendors?

It's just not possible.”

Android isn't open source; that is a wish, not reality. The AOSP kernel is open source, but the Play Services and Google apps are not - and unless you're in China, try selling an 'Android' device without these (or Amazon's apps).

The solution is for google to deliver updates directly, and bypass the lack of money in the vendor chain. Like windows update.
Daveoc64
07-10-2015
Originally Posted by jchamier:
“Android isn't open source; that is a wish, not reality. The AOSP kernel is open source, but the Play Services and Google apps are not - and unless you're in China, try selling an 'Android' device without these (or Amazon's apps).

The solution is for google to deliver updates directly, and bypass the lack of money in the vendor chain. Like windows update.”

You've not only dodged the question, you've completely contradicted yourself.

The parts that aren't open source are updated by Google, directly (through the Play Store). (This is what you think should happen).

The parts that are open source aren't updated in that way.
corf
07-10-2015
As the manufacturers have modified Android for their phones - they have built a new OS that can only be patched by themselves.

I dont consider it Google problems really - My nexus gets updated pretty quick, Samsung and HTC etc should be doing the same instead of abandoning their products after release.
seacam
07-10-2015
Originally Posted by jchamier:
“You can't do anything about them - your vendor has to release a software update to close the holes.”

Oh I see, now why couldn't that have been explained in the download,? thanks JC.
VIEW DESKTOP SITE TOP

JOIN US HERE

  • Facebook
  • Twitter

Hearst Corporation

Hearst Corporation

DIGITAL SPY, PART OF THE HEARST UK ENTERTAINMENT NETWORK

© 2015 Hearst Magazines UK is the trading name of the National Magazine Company Ltd, 72 Broadwick Street, London, W1F 9EP. Registered in England 112955. All rights reserved.

  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Complaints
  • Site Map