Every year around this time, just after kids break up from school we see a plethora of world-ending bug stories in the US media. There’s an actual reason behind this. At the start of August, America’s two biggest security events – BlackHat and Defcon – take place in Las Vegas. It’s a major investment for companies to put people in charge of finding bugs for a whole year to present at these events, meaning that in the run-up we get little teasers dropped out of bugs that could potentially end the world (or parts thereof).
Last week in stunt hacking, two researchers took over a Jeep travelling at 70mph on the motorway. This week it’s mobile security vendor Zimperium’s turn to warn us of mobile security problems with their fully logo’d up and named set of bugs known as Stagefright.
This is where we are in the information security industry today. Your bug isn’t really a bug unless it has a name and a logo. That’s how the media can know what’s important and what’s not. In this case the bug not only has a name and logo, it has an associated talk both at BlackHat and Defcon.
To be fair, the hype is partially deserved. After all, this stack of bugs turns out to be particularly egregious, and under the right circumstances could be exploited just by sending a malicious MMS message to a target. However, there are workarounds, which I’ll come to later in this post.
Discovered by leading iOS and Android security researcher, Joshua Drake (or jduck as he’s known to most people), the media has jumped on the group of bugs as though the world is about to end. Meanwhile, in the real world jduck acted as a good Internet citizen, contacting Google and working with them to fix the bugs in question, but then went further and talked to other similar OS developers like Silent Circle (of Blackphone fame) and the people behind Cyanogenmod.
How long it’ll take for the updates to trickle through to your devices is another question entirely. Given the fragmented state of the Android market you may find this won’t be addressed for your device any time soon.
Bearing all of this in mind there are a few things you can do, and if your Mobile Device Management (MDM) suite can push these configuration changes out to your devices, you’ll probably sleep a little better tonight for doing them, updates or not.
Understanding Android Stagefright
Although Stagefright is presented as a single end-of-world inducing bug by Zimperium, it’s actually a collection of different bugs, some exploitable in different ways. Jduck’s work looks like he focused on parts of the Android Operating System that are responsible for processing different types of media files in a library called libstagefright. Thankfully through the medium of Open Source commits we can look at changes to the Cyanogenmod code base and get an idea of what these bugs actually entail.
Walking through the Cyanogenmod commit logs we can see several recently committed patches by jduck, focusing on integer handling around various aspects of media processing. Looking at the code it’s not hard to reach the conclusion that the Stagefright bugs are mostly triggered by malformed MMS messages containing malicious 3GPP and MP4 video files. Because these bugs are in the way the files are handled, it’s likely these bugs will be triggered when the relevant processing routines are invoked, such as when a message is opened or previewed, possbily via a notification. As the bugs are in the Android components that process media files, it’s also possible that these bugs could be exploited through other vectors, such as by embedding a corrupt media file in a web page or attaching it to an email.
Depending on the Android distribution and default messaging system, MMS messages may automatically be processed, meaning that the exploit will be triggered. We can counter this by disabling the functionality used to automatically retrieve MMS messages.
This won’t stop a malicious MMS message from being able to exploit a device, nor will it stop vunlerabilities in other pieces of software using libstagefright. However, what it will do is stop the automatic triggering of an exploit affecting libstagefright targeting MMS. Your users will need to understand that MMS messages from an untrusted source shouldn’t be opened, or alternatively it may be safer to temporarily disable MMS in your MDM solution’s policy settings until you can upgrade to a version of Android that patches the vulnerability or has stronger exploit mitigations in place.
The process for stopping automatic MMS downloads is different dependent on whether you use Google Hangouts, Google Messenger or a custom Messages app. The Twilio blog has a great article on how to disable MMS auto-receive on different devices with different configurations, but generally you want to go into your messaging settings and find an option to turn off auto-retrieval of MMS messages until you can deploy an update that addresses the issue.
While I have no doubt that Jduck’s research is well thought out, well executed and reveals serious bugs, I have little to do but frown at Zimperium’s flag waving. Their assertion that this is somehow worse than heartbleed just doesn’t stand up, despite the media falling for it hook, line, sinker and copy of Angling Times.
As for referring to it as “the mother of all Android vulnerabilities”, that too I suggest readers take with a pinch of salt. Android has moved on since the early days of Mercury (now Drozer) and it’s longstanding collection of obvious but nonetheless serious bugs, and has a complex volume of security mitigations in place, meaning that while some issues may be exploitable, the relationship between bugs and practical exploits is hardly 1:1.
I also take issue with Zimperium’s suggestion that it impacts 95% of all Android devices. Bugs come and go, and not all bugs make it to actual practical exploits affecting all platforms, especially given exploit mitigations present in later versions of Android. In the meantime, tighten up your MDM, make sure you’re running at least Android Kitkat (4.4.4) and enjoy the exploit silly season. Thankfully it won’t go on for long.
Looking for help with securing your mobile devices?