Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Silent, Easily Made Android Rootkit Released At DefCon

Soulskill posted more than 3 years ago | from the it-slices-it-dices dept.

Security 133

An anonymous reader writes with news that security experts from Spider Labs released a kernel level rootkit for Android devices at DefCon on Friday. "As a proof of concept, it is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number.' This ultimately results in full root access on the Android device." The rootkit was developed over a period of two weeks, and has been handed out to DefCon attendees on DVD.

cancel ×

133 comments

black people (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33095908)

what is it with black people and the bus stop? anytime you see a bus stop, there is always a black person there.

i would bet money that if you put a bus stop in the middle of sibera, hundreds of miles from anyone and left it for a few hours, when you return they would be black people in it. stereotypical black people too. there will be one old man holding a bicycle tire on the rim, muttering to himself. there will be a fat black girl on her cellphone talking too loud and shaking her finger while doing the "mmmhmm" thing. lastly there will be a 20-something thug-life wanna-be with bloodshot eyes.

black people and the bus stop, it's a mystery.

Re:black people (0)

Anonymous Coward | more than 3 years ago | (#33096188)

Black people got places to go, what's wrong with that?

Re:black people (0)

Anonymous Coward | more than 3 years ago | (#33096540)

This is the funniest FP troll I've seen in a long time...

What it doesn't say (4, Interesting)

TyFoN (12980) | more than 3 years ago | (#33095918)

Do you have to have a rooted device already in order to install it or does it use an exploit to gain this? Will it show the usual warnings about permission requirements when installing?
If it does use an exploit, it would be interesting to use this for regular rooting of the devices.

Re:What it doesn't say (2, Insightful)

camperslo (704715) | more than 3 years ago | (#33096024)

Wouldn't it be trivial for a developer to add the code to an app store offering that seems to have some legitimate need for any permissions requested?

Re:What it doesn't say (1, Informative)

Anonymous Coward | more than 3 years ago | (#33096700)

No, this is a kernel module not an application. Kernel modules cannot be installed from the application store.

Re:What it doesn't say (2, Informative)

Anonymous Coward | more than 3 years ago | (#33096062)

No, it doesn't need to be rooted, it's a kernel exploit, so it will give you root. The problem is Android people not picking up the Linux kernel fix for this. I guess they're really busy seeing as it was fixed back in May 2009! Shame on them. It just goes to show that you can't trust any of them. You'd expect new Andy release would use a new kernel. I wonder what Froyo is using...

Re:What it doesn't say (2, Interesting)

TyFoN (12980) | more than 3 years ago | (#33096118)

Where in the article does it state this?
I can't find any info about it at least.
All the article claims is that it is a kernel module, and in that case this is really old news as we had a story about it some time ago.

Re:What it doesn't say (4, Informative)

Anonymous Coward | more than 3 years ago | (#33098402)

The article is a troll piece hoping for clicks for ads. Here's the bug in question [secunia.com]

Re:What it doesn't say (0)

Anonymous Coward | more than 3 years ago | (#33096282)

I wonder what Froyo is using...

Cyanogen6 (based on Froyo) uses 2.6.34. But it's easy to build a custom kernel image that can be flashed on top of the existing system.

Re:What it doesn't say (1)

h4rr4r (612664) | more than 3 years ago | (#33098178)

2.6.32.9-g103d848 is what uname on my 2.2 running droid says.

Re:What it doesn't say (1)

alvinrod (889928) | more than 3 years ago | (#33096170)

Based on a few other articles that I've read, the owner of the phone would need to install an app that contains this rootkit first. Either users would need to sideload the application or someone would need to sneak an app containing it into the Android Marketplace, which is possible considering that developers have snuck apps with hidden tethering functionalities into the iPhone's App Store in the past.

Assuming that the rootkit works without needing any suspicious permissions, you won't get any additional useful warnings. If it needs some special set of permissions, but is masquerading as a legitimate app that would need those permissions anyway you probably won't notice either. Most of the articles I've been able to find are a little sparse on details. The rootkit has only been tested on two HTC phones, but the creators claim it will work on all phones. The two phones it has been shown to work on both ship with 2.1, so this may have possibly been fixed in Froyo already.

This is a bit worse than the article from the other day about the Android app that was supposedly stealing a lot of data [slashdot.org] but mostly turned out to be sensationalist drivel; however, it's still not a drive-by attack, which is what people should really be worried about.

Re:What it doesn't say (4, Insightful)

AnEducatedNegro (1372687) | more than 3 years ago | (#33096212)

Ok as an android developer, you can't break out of the VM. period. that's the whole point of it. this exploit they are talking about is a kernel driver which you would include in a custom rom that you download from, say, sdx-developers (shoutout!). Now once you have a kernel rootkit, well you know the hell that can cause. But let's face it folks, mobile computing is here to stay. This is no different than having a rootkit on your windows box and tethering it through your phone. All the phone company sees are packets. It's also time to realize that our phones are full fledged computers. You gotta protect them.

Re:What it doesn't say (0)

Anonymous Coward | more than 3 years ago | (#33096420)

So would an application like Lookout protect you?

Re:What it doesn't say (0)

Anonymous Coward | more than 3 years ago | (#33096422)

Plenty of exploits have been developed that specifically targetted the VM to break through to the parent system. How do you guard against a vulnerability in the interpreter? It's difficult unless you restrict the privileges of the host process, which is self-defeating in that it limits the power of the VM and its own sub-programs.

Re:What it doesn't say (2, Insightful)

Svartalf (2997) | more than 3 years ago | (#33096520)

Really? Can't break out of the VM, period?

If the application uses this [android.com] little toolchain to provide a native code .so, you're able to break right on out of the VM, possibly never to return. It's not very hard at all- and there's a host of possible exploits to apply once you're in that space, all depending on how locked down the user account actually is on your Android device.

Let's all face a real fact here. Security has little to do with technology in and of itself. There's an aspect of it within the design of something, but in the end it's people that provide security as well. You would fail at securing something outright- you lay entirely too much faith in things like a VM to protect your system design.

Re:What it doesn't say (2, Informative)

AnEducatedNegro (1372687) | more than 3 years ago | (#33096836)

uh the rootkit also enables you to break out of the vm. but the problem here is the application inside the vm didn't break out. it has no way of interfacing with the system until the vm creates an interface. so again, you cannot break out of the vm as a developer. there are no magic holes in davlikvm. if you re-read the thread it all started with people saying "omg can we just click and exploit?!" and the answer is no you cannot. you may be able to attack specific devices (again, see sdx-developers).

i do want to thank you for reaffirming my statement. we need to provide the security ourselves and protect our phones.

Re:What it doesn't say (0)

Anonymous Coward | more than 3 years ago | (#33096888)

uh the rootkit also enables you to break out of the vm. but the problem here is the application inside the vm didn't break ou

Bullshit. Call you c or asm code via JNI provided as a shared lib. Then do what ever you want: Make syscalls to the kernel and exploit the security holes.

Saying an app can not gain root would mean there is no security hole in Linux kernel. Can you proove this?

Re:What it doesn't say (1)

Svartalf (2997) | more than 3 years ago | (#33098730)

Actually, if you make a native call, you're outside of the VM unless the code you called gives it back to the VM. It's been the same since the UCSD P-Code system DECADES ago (and, yes, I've been at it that long, folks...). Any system calls you make or similar leave you open to attack.

It's NOT unhackable. It's not invulnerable. If you think it is, you're fooling itself. Now, your statement wasn't one of that- it was one of the VM being incapable of being broken out of as a sandbox. Which, you will find, if you think long and hard about it, I've disproven. Now, your new remark, one of providing the security ourselves, etc.- you'll find this proves that and I'd wholly agree with your remark there.

Re:What it doesn't say (1)

Svartalf (2997) | more than 3 years ago | (#33098794)

itself==yourself... Sigh... Need to check my posts a little closer before submitting them.

Re:What it doesn't say (0)

WrongSizeGlass (838941) | more than 3 years ago | (#33096598)

It's also time to realize that our phones are full fledged computers. You gotta protect them.

I completely agree. I keep my iPhone in a condom at all times. I get some funny looks when I'm holding it, especially when I'm not using my bluetooth, but it's worth it to be safe.

Re:What it doesn't say (2, Funny)

Anonymous Coward | more than 3 years ago | (#33096628)

Helps with reception too.

Re:What it doesn't say (3, Insightful)

Anonymous Coward | more than 3 years ago | (#33096612)

This is no different than having a rootkit on your windows box and tethering it through your phone. All the phone company sees are packets. It's also time to realize that our phones are full fledged computers. You gotta protect them.

Eh, oops... You just lost 99% of the general audience.

The phone that will win the market is the phone made where the hardware/software/service providers are willing to guarantee to you to make consistent and continued effort to protect our phone from malware and problems, versus just declare it a "computer" and let YOU do it.

Re:What it doesn't say (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#33096472)

Based on a few other articles that I've read, the owner of the phone would need to install an app that contains this rootkit first. Either users would need to sideload the application or someone would need to sneak an app containing it into the Android Marketplace, which is possible considering that developers have snuck apps with hidden tethering functionalities into the iPhone's App Store in the past.

Wow. Your fandroid response is pretty funny. Instead of pointing out an example from the Android Marketplace, downloaded by millions [venturebeat.com] , which does exactly what you are talking about, you choose to go after a harmless iPhone app.

How does that Android Kool Aid taste, anyhow?

Re:What it doesn't say (0)

Anonymous Coward | more than 3 years ago | (#33097502)

Good post. We need more ad hominem insults on Slashdot.

A little social engineering there? (1)

A nonymous Coward (7548) | more than 3 years ago | (#33097922)

Nice example that you wanted him to use -- the one that was shown to NOT be what the news made it out to be. Are you trying to trick him into making a false anecdote to buttress his claim, thereby giving you reason to laugh at him for that?

Re:What it doesn't say (1)

gollito (980620) | more than 3 years ago | (#33098206)

It wasn't millions. They mis-stated that number and it turned out to only be a couple hundred thousand. Still a fairly large number but not as large as stated.

Re:What it doesn't say (1)

Sir_Lewk (967686) | more than 3 years ago | (#33096638)

The purpose of rootkits is to allow you to keep root access after you've gotten it, not to give it to you in the first place. Getting it in the first place is outside the scope of this software.

Apple (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33095926)

iPhone will always be the safest phone, all you linux and windows noobs getting your viruses and what not. All hail Apple!

My phone is safer than the iphone (1)

davidwr (791652) | more than 3 years ago | (#33096238)

Unfortunately, they turned off the analogue towers here a few years ago....

Re:My phone is safer than the iphone (1)

MrLint (519792) | more than 3 years ago | (#33096352)

I think your post's parent is hearing voices in something other than a cell phone

Re:Apple (0)

Anonymous Coward | more than 3 years ago | (#33097824)

is it just me, or are apple fanboys becoming more and more cultist-like?

Not Helpful (1, Insightful)

Nom du Keyboard (633989) | more than 3 years ago | (#33095928)

This is not a helpful development. Just another assh--- trying to show off what he (or she) thinks he can do better.

Re:Not Helpful (0)

Anonymous Coward | more than 3 years ago | (#33096198)

This is not a helpful development. Just another assh--- trying to show off what he (or she) thinks he can do better.

Would you feel better if they didn't tell other people about they exploits they find? If the security holes are there it is better for people to hear about them.

Re:Not Helpful (2, Interesting)

phantomfive (622387) | more than 3 years ago | (#33096200)

Exactly. A rootkit doesn't let you hack into the device, it's not an exploit, and this doesn't mean Android is vulnerable. It's a program that runs after you already have access to the device. In fact, I have no doubt that there are hundreds of thousands of programmers here on Slashdot who could write an Android rootkit in an afternoon.

Re:Not Helpful (0)

Anonymous Coward | more than 3 years ago | (#33096252)

This is not a helpful development. Just another assh--- trying to show off what he (or she) thinks he can do better.

This is not a helpful comment. Just another assh--- trying to attack research that he (or she) doesn't approve of.

Re:Not Helpful (1, Funny)

Anonymous Coward | more than 3 years ago | (#33096380)

Just another assh---

I find myself wondering about the sort of person who has no problems with the word "ass" but is so offended by the word "hat" that he (or she) feels the need to censor it in a slashdot comment.

Re:Not Helpful (0)

Anonymous Coward | more than 3 years ago | (#33096556)

cf. g*ddamn

Re:Not Helpful (2, Insightful)

fermion (181285) | more than 3 years ago | (#33096900)

One can either leave the gate to the garden open or the gate to the garden closed. A closed and secured gate is a known security model with known consequences and benefits. If the gate is open, then it is important to show that other security measures, like limited access once is inside the garden to limit damage, provides sufficient security. If your garden is so uninteresting that no one ventures inside, then there is no evidence of security, just lameness.

Therefore if the Android OS is to be shown to be secure, even against apps that user load on the phone, because there is no way a priori to know if an App is malicious, developers must write potentially malicious apps and test if they will cause harm or not. We already know from this conference that "Jackeeey Wallpaper" collects and publishes phone numbers and browser history from the phone, not a huge data breach, but shows the open garden is not fully protected.

Re:Not Helpful (1)

zuperduperman (1206922) | more than 3 years ago | (#33099046)

We already know from this conference that "Jackeeey Wallpaper" collects and publishes phone numbers and browser history from the phone

Actually what we know is that no such thing happened and that nearly the whole story was made up [techcrunch.com] . I suppose it is still fun to spread the FUD around though!

Re:Not Helpful (0)

Anonymous Coward | more than 3 years ago | (#33099174)

The article you posted says the essentially the same thing. The wall paper collects data, and Google considers it malicious enough to suspend the App.

Re:Not Helpful (1)

Securityemo (1407943) | more than 3 years ago | (#33097042)

It's a helpful development - because any edge the "public pool" of hacking software and tricks gets over the "hidden pools" exploited by immoral hackers for selling pickpocketing software and botnets to criminals is helpful, as the relationship between companies business risk/reward and the "security scene" now stands. Even if this may seem counterintuitive at first glance.

Oh how clever... (2, Funny)

gowen (141411) | more than 3 years ago | (#33095946)

I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags. I'm going to a black-hat muggers conference to hand out cudgels and more detailed instruction. But that doesn't make be an utter scumbag, oh no. I'm a "security researcher", that's what I am, only interested in increased security for old ladies.

Re:Oh how clever... (3, Funny)

sco08y (615665) | more than 3 years ago | (#33095998)

I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags.

Already patched; the handbags have been upgraded to include a pink-enameled snub .38.

Re:Oh how clever... (0)

Anonymous Coward | more than 3 years ago | (#33096310)

I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags.

Already patched; the handbags have been upgraded to include a pink-enameled snub .38.

Awesome, so then I can shoot her with her own gun as well as stealing her purse?

Re:Oh how clever... (0)

Anonymous Coward | more than 3 years ago | (#33096848)

No, the bullets weren't included in the update.

Re:Oh how clever... (3, Informative)

erroneus (253617) | more than 3 years ago | (#33096214)

I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.

For some im/morality is enough of a deterrent to prevent them from doing bad things. For others, fear of punishment under the law might be enough. But without a doubt, it's not enough for everyone. Some of those people will go to great and surprising lengths to get what they want. And there are most certainly weaknesses and vulnerabilities that are not shared with the general public. And without these larger events that literally celebrate sneaky, underhanded tricks, the "secrets" shared there would also remain as dark, underground secrets that are known by a few.

Let's put it another way. These events that you seem to believe shouldn't exist serve as a spotlight not only to humiliate the vendors and producers of bad locks, but also sheds light on otherwise dark and unknown vulnerabilities giving the public an opportunity for awareness they wouldn't otherwise have and for them not to become victims of these weaknesses. These celebrations help to reduce the number of secret vulnerabilities by making them less secret.

Do you really think it would be better if people got owned and never find out why or how?

Some of these security researchers are the Louis Pasteurs of the day. Before Pasteur, people believed in "spontaneous generation." Currently, many people still believe their computers and other devices are simply magic.

Re:Oh how clever... (3, Funny)

Nerdfest (867930) | more than 3 years ago | (#33096386)

computers and other devices are simply magic.

Why wouldn't they; some of them are even advertised that way.

Re:Oh how clever... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33096640)

If you're going to believe in advertising, you might as well believe in magic anyway

Re:Oh how clever... (1)

DoraLives (622001) | more than 3 years ago | (#33097374)

If you're going to believe in advertising, you might as well believe in magic anyway

Have a closer look at most of the people all around you.

Now read what you just wrote, once again.

Re:Oh how clever... (2, Insightful)

A1rmanCha1rman (885378) | more than 3 years ago | (#33098466)

computers and other devices are simply magic.

Why wouldn't they; some of them are even advertised that way.

Like my electronics teacher told my class "if you really think that n-p-n junctions are actually how semi-conductors work, you'll believe anything you are told".

The scientific and logical explanations for the phenomena that underlie the technology we use are simply that, explanations. You'll never see n-p-n junctions under any microscope, because there probably aren't any.

Even if there were, think about it, it won't make the phenomena of natural processes any less magical.

All is magic...

Re:Oh how clever... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33096998)

"A wise man once said that any sufficiently advanced technology is indistinguishable from magic"

for many people we've reached that point

Re:Oh how clever... (1)

cstacy (534252) | more than 3 years ago | (#33097352)

You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't.

Absolutely! Well, maybe it would be sufficient for, like, an ATM...

Re:Oh how clever... (1)

Nyder (754090) | more than 3 years ago | (#33098748)

I think you and many others on your side of the fence are missing something important. You know those cheap tiny "locks" that come with so many little boxes or other devices? The ones that all have the same key? Would you consider using those to lock anything important up? I'm guessing you wouldn't. You probably realize that they are too weak even to be considered a lock at all.

That brings up a funny story.

When I was in 9th grade, I used one of those cheap locks to lock up my gym/tennis crap (just tennis shorts, shoes, nothing big) and someone broke it open to steal my shorts. Well, seeing as they are tennis shorts, and only people that play tennis usually wear them, it wasn't hard for me to figure out who stoled them.

So what did I do?

Nothing. He was a big thug and it wasn't worth me getting my ass kicked.

Re:Oh how clever... (0)

Anonymous Coward | more than 3 years ago | (#33096276)

If someone is presenting a "new" 0-day exploit at DefCon, it's already out there more than likely. For a company that ignores security, this is the only way to push them to patch something. However, Google has been good about patching security vulnerabilities. So I don't quite get what's going on here, except for getting attention.

My inner conspiracy theorist say this is revenge from Microsoft for the release of the 0-day Google put out recently.

Re:Oh how clever... (2, Insightful)

blair1q (305137) | more than 3 years ago | (#33097626)

In this case, the little old ladies already have to be holding the cudgel as well as the handbag.

Re:Oh how clever... (1)

Nyder (754090) | more than 3 years ago | (#33098732)

I've noticed a 0-day vulnerability in old ladies in that I can hit them over the head with a cudgel and steal their handbags. I'm going to a black-hat muggers conference to hand out cudgels and more detailed instruction. But that doesn't make be an utter scumbag, oh no. I'm a "security researcher", that's what I am, only interested in increased security for old ladies.

Sorry, My Great-Great-Great-notsoGreat-Grandfather patented this back in 1800's. It's in public domain now.

Cool (1)

Svenne (117693) | more than 3 years ago | (#33095984)

Can this be used to gain root on Android devices with a locked bootloader? That would be neat. Imagine rooting your phone without having to flash it.

Re:Cool (3, Informative)

MrHanky (141717) | more than 3 years ago | (#33096592)

You don't need to flash your phone to root it. (How do you flash your phone without rooting it?) Here [doshaska.net] 's how I did mine.

I posted this story but the editors cut out... (5, Interesting)

Anonymous Coward | more than 3 years ago | (#33096006)

... an important question.

(The spider labs people claim) they did this to prompt Google to issue a fix. However, since the carriers seem to be very slow in updating the Android OS for their phones (a substantial number, perhaps a majority have never received an update), WHEN CAN WE EXPECT A FIX to get to the millions of phones out there? Compare this to the Apple ecosystem which received an update for their (admittedly widely publicized) Antennagate issue within weeks (whether or not it actually fixed anything is another question). In general Apple devices are (forcibly?) updated much more quickly. Perhaps this is because of his holinesses... I mean Steve Jobs powers of persuasion. ;)

Of course as an A/C I can't prove it but if you look at the submission, you'll see that's what I said. I no longer login because I feel that while attacking a company's products is fair game (specifically Apple), having stories singling out their users as "selfish" and unkind is not "news for nerds stuff that matters". Am I an Apple fanboi? Let's just say I've used NIX for decades (yes I'm old) and I'm not talking OS X.

Re:I posted this story but the editors cut out... (1)

Nerdfest (867930) | more than 3 years ago | (#33096216)

Apple has historically been very slow in patching exploits. There have been Java VM exploits and others that they've about a year behind the curve on. I think the issue only received the attention it got because of media hype. Overall, I think patches for exploits should be made available to everyone as soon as they're ready like Linux does. Doing ''scheduled" updates like Microsoft does is ridiculous, as is carriers being involved in sending out updates to the Android OS.

Re:I posted this story but the editors cut out... (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33097466)

Cellphone manufacturers/telcos have historically not patched exploits.

Re:I posted this story but the editors cut out... (2, Interesting)

witherstaff (713820) | more than 3 years ago | (#33096256)

I have a Samsung Mobile from Sprint, it's running 2.1 and will no longer be upgraded by Sprint according to their news release.

Another annoyance with carriers having to provide the upgrade is they toss in extra junk programs. I have an amazon MP3 store, sprint live Nascar, and other apps that can not be removed. Samsung also tossed in a few non-standard apps, like Moxier Mail, which costs $25 on the app store. So there are some minor benefits to using the network provided Android.

I like these kernel hacks, if they cause enough problems it may force Sprint to give me 2.2!

Re:I posted this story but the editors cut out... (2, Interesting)

zogger (617870) | more than 3 years ago | (#33096892)

Normally I am one to not want yet another new law, but I think in this case there should be a law that says these gadget sellers and makers should support their devices for x-years, whether they want to or not, beyond the normal short warranties and covering more stuff. And that would include security fixes. They are obviously just wanting you to trash perfectly functional devices to buy something new all the time.

Re:I posted this story but the editors cut out... (0)

Anonymous Coward | more than 3 years ago | (#33097816)

Woah hold on there Castro.

Re:I posted this story but the editors cut out... (1)

zogger (617870) | more than 3 years ago | (#33098232)

Ya, pretty radical left, I know....

Re:I posted this story but the editors cut out... (1)

tlhIngan (30335) | more than 3 years ago | (#33099306)

I have a Samsung Mobile from Sprint, it's running 2.1 and will no longer be upgraded by Sprint according to their news release.

Another annoyance with carriers having to provide the upgrade is they toss in extra junk programs. I have an amazon MP3 store, sprint live Nascar, and other apps that can not be removed. Samsung also tossed in a few non-standard apps, like Moxier Mail, which costs $25 on the app store. So there are some minor benefits to using the network provided Android.

I like these kernel hacks, if they cause enough problems it may force Sprint to give me 2.2!

Doubt it. Unless Samsung provides it, you won't get it. And if it was, there's probably hacked firmware available for you that you can load up yourself.

Sprint however, will probably use this as an opportunity to make firmware that can't be rooted and maybe even enforce ROM signatures so you can't load custom ROMs in.

(And why is it, that Apple basically gave their finger towards AT&T and did their own thing on firmware (so AT&T can't go load on all their crapware), everyone running Android is still catering to the carriers and loading in all their crapware on? Except maybe the Nexus One (no longer available), it seems no one dares give their finger to the carrier and "do their own thing" like Apple...).

Re:I posted this story but the editors cut out... (0)

Anonymous Coward | more than 3 years ago | (#33097760)

Antennagate

Kill yourself.

Re:I posted this story but the editors cut out... (1)

tlhIngan (30335) | more than 3 years ago | (#33099286)

In general Apple devices are (forcibly?) updated much more quickly. Perhaps this is because of his holinesses... I mean Steve Jobs powers of persuasion. ;)

Nope. Apple does not force any software update on anyone. I have my original iPhone still running at 2.something (with the SMS flaw), simply because I was too lazy to do the required jailbreaking on it.

This is unlike say, the Palm Pre, where you can delay an update, but you can't avoid it. I think Android devices are also voluntary updates as well, but the carrier can go force the issue (see what Rogers did by forcing an unrootable firmware on their G1s).

Re:I posted this story but the editors cut out... (1)

bm_luethke (253362) | more than 3 years ago | (#33099372)

In this particular case there is nothing to patch - the iPhone is *just* as vulnerable to this as Android too.

In order to run this particular "exploit" you have to first root the phone, wipe your old OS off the phone, and install the new one they provide. One can also jailbreak and iPhone and install a different OS or rootkit on their phone too. If you want to "patch" this do what Motorola did with the Droid-X - disallow a custom rom to be installed and not allow you outside the dalvik VM (and in that case your "secure" iPhone is *more* susceptible to this type of thing as the underlying OS is MUCH more accessible when rooted).

I do not know why anyone here is shocked, shocked I say to find that when someone roots their phone they can install apps that do malicious things and then want someone to "patch" it (but leave the ability to root). Poor reporting by the submitter and by the editors, though that has plagued here for a *long* time (which is why one should read the comments of a sensational story).

Though your question about updates is not a bad one you are, again, not saved by Apple. A great deal of them out there can not run iOS 4 and are end of lifed. In any computer that you are running an OS that is not updated, and Apple is no different here, then security fixes do not get put int. Lets face it, if you are running a 2.4 kernel and find a security issue that chances of it getting fixed are quite slim too. Our phones are computers that happen to have some form of a cell connection in them, not a phone that has some general purpose computing hardware added to it. The sooner we all realize this the better, though I guess I will have to say that many Apple fanbois also think their desktop or laptop is "different" and doesn't have any issues that a general purpose computer does.

Two things ... (4, Interesting)

GNUALMAFUERTE (697061) | more than 3 years ago | (#33096078)

1st:

Not news. Anything with a processor in it can run software. That software can do a number of things, and, considering that the processor is turing complete, it can actually do anything. Including allowing remote stealth access. That is NOT news and is NOT a vulnerability or anything to get excited about. Show me that you found a buffer overflow in Android's TCP stack that allows you to run arbitrary code on the device remotely. Of course you can put a rootkit in there after gaining access, you could run tetris for all I care. If you need unlimited rw access to the software to setup your malware, that is not fucking news.

2nd:

FTFA:

"Attendees pay $140 in cash to attend and are not required to provide their names to attend the conference. Law enforcement posts undercover agents in the audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
(Reporting by Jim Finkle; additional reporting by Alexei Oreskovic in San Francisco; editing by Andre Grenon)

Wow. Just wow. Attentive Attendees attend to the conference. No shit. Andre Grenon could be a /. editor.

More power to open source! (2, Interesting)

nephridium (928664) | more than 3 years ago | (#33096108)

It seems the main attack vector would be a "rogue app", just like with this [slashdot.org] recent story.

I deem myself lucky that all software I have installed on my N900 is open source, which means I (or anyone else) can check the code, compile it and improve it anytime I feel the need to - it's as simple as on any debian based system, "apt-get source", "make" etc. - That alone makes it the superior platform imho, though obviously it doesn't come with all the bling-bling apps and games that Apfel and Google supplies you with. For me openness trumps gimmicks anytime.

It also don't hurt that many of the tools and scripts I use on my Ubuntu workstation can directly be used on the phone as well.

On a tongue in cheek note: the only two packages (out of 868) that vrms [wikipedia.org] admonishes about are "human-icon-theme" and "tangerine-theme" - but they probably don't pose a security risk ;)

Re:More power to open source! (1)

CRCulver (715279) | more than 3 years ago | (#33097362)

I have an N900 too and I love it, but I wouldn't claim that the nature of its software distribution makes it all that much more secure. Linux distribution package repositories have been tainted with malware in the past, in spite of the hope that community observation would guarantee their purity.

Re:More power to open source! (0)

Anonymous Coward | more than 3 years ago | (#33097686)

Yeah and for how long?

Re:More power to open source! (1)

nephridium (928664) | more than 3 years ago | (#33099072)

Thanks for the input, I wasn't aware of malware that was distributed through Maemo or Debian, could you name a few?

I'm always willing to get my facts straight :) - In any case, I believe open source, like sunlight, is the best disinfectant. Unlike with Apfel/Android nothing stops me from checking the source prior to installing - that means at least in theory I'd be far more secure (in practice, of course, but maybe others do).

Difference between open source and closed source (1)

davidwr (791652) | more than 3 years ago | (#33096112)

With open source, it's easier for the good guys to spot - and fix - problems.

Re:Difference between open source and closed sourc (1)

macs4all (973270) | more than 3 years ago | (#33096452)

With open source, it's easier for the good guys to spot - and fix - problems.

Yes, but in this case, isn't the code that is being exploited Closed Source?

So, now, aren't all the potential victims stuck in the same waiting game, waiting for someone else to fix the 'sploit, as those running closed-source phones?

Reverse TCP? (1)

Improv (2467) | more than 3 years ago | (#33096316)

What does that even mean?

Re:Reverse TCP? (1, Funny)

Anonymous Coward | more than 3 years ago | (#33096512)

What does that even mean?

PCT. Duh.

Re:Reverse TCP? (3, Informative)

OopsIDied (1764436) | more than 3 years ago | (#33096780)

It means that the rootkit can establish a connection from the victim to the attacker and receive orders from him/her. Since it's TCP i'm guessing it can also connect to IRC and other services that use TCP rather than UDP or more obscure protocols.

Re:Reverse TCP? (1)

Improv (2467) | more than 3 years ago | (#33097176)

Ohhh they didn't mean reversing the concept of TCP, they really meant to just reverse the direciton of connection. They really could've phased that better.

Justification for eFuses? (1)

GreenTom (1352587) | more than 3 years ago | (#33096418)

Does this give any justification to the "self-destructing" Motorola phones? (http://hardware.slashdot.org/hardware/10/07/15/1317205.shtml, though later stores say they don't really permanently self-destruct)

Looks like MOT is thinking about this--if you do want a secure phone, seems like hardware verification of ROMs and bootloader are a necessary starting point. That at least gives you a solid foundation to build a security infrastructure on. Now let's see MOT build on this by releasing rootkit detectors and we might actually be seeing a genuine step towards real secure computing.

NO. (2, Interesting)

Svartalf (2997) | more than 3 years ago | (#33096564)

If you can "self-destruct" a phone that way, then it becomes a nifty way to do a DoS attack on those phones.

Re:NO. (2, Insightful)

GreenTom (1352587) | more than 3 years ago | (#33096622)

I'd think I'd rather have my phone brick than get rooted, as long as there's some way I can reset it to factory config.

Re:NO. (1)

h4rr4r (612664) | more than 3 years ago | (#33098242)

I would rather root my phone, than have motorola provide security. By which they mean decide what software you are allowed to use.

Great... (0)

Anonymous Coward | more than 3 years ago | (#33096470)

.. make a rootkit and hand it out to every script kiddie in the world.... THAT'S REALLY GONNA HELP !!!

assholes.

plus 2, Troll) (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#33096524)

At talk right now ... NON-ISSUE! (5, Informative)

Jahava (946858) | more than 3 years ago | (#33096924)

So yet more developers want to make a make for themselves by elevating a non-issue. I am currently attending their talk, and must admit that I am disappointed.

The first half of the presentation is them chatting about.how rooting a phone is desirable due to its intimate association with the user.No shit! Everybody knows this.

So let's get to the interesting part: There is no new attack vector. No propagation from Dalvik VM to kernel. No new technique. They wrote a Linux rootkit, like anyone can do. It is a kernel module. Anyone can make one of those. It hooks the kernel in various places to hide itself from various process / module listings. How innovative? Please.

The call this an exploit ... nothing is exploited. They willingly participate in the installation at the root level. Their conclusion seems to be that someone with root has access to everything on a system. Shocking, eh?

The only funny part is that this took them 2 weeks to create. How terribly disappointing.

Re:At talk right now ... NON-ISSUE! (-1, Troll)

bonch (38532) | more than 3 years ago | (#33097284)

It's getting really annoying seeing Google/Android fanbois falling over themselves to claim this is a non-issue, a non-story, etc. If the iPhone had a story about a rootkit, there would be 500+ comments, with half of them addressing Steve Jobs by name since Apple-haters think he can hear them.

Every time someone claims there is no attack vector, a hacker somewhere is always drooling over the idea of proving them wrong.

Re:At talk right now ... NON-ISSUE! (2, Interesting)

Jahava (946858) | more than 3 years ago | (#33097434)

But that's the point... no attack vector means nothing interesting. The rootkit and its capabilities are presumed! It's common knowledge that anything software (kernel and higher) can do, a rootkit can do. Software can obviously make calls, read and send text messages, etc., therefore a rootkit can too. Same goes with Apple, by the way.

I'm not saying that there is no attack vector... just that this story is a non-issue, as all it exposes is already obvious. Let a hacker find an attack vector. Hopefully he'll present it next DEFCON, and that would be very interesting. Regardless, the rootkit never was the technical challenge.

FWIW, a subsequent presentation does show a privilege escalation Android exploit. Was very cool. Anyone who can write one of these can drool the rootkit in his sleep.

Re:At talk right now ... NON-ISSUE! (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33097456)

What the hell are you talking about?

The OP makes a perfectly valid point...

Little sensitive much?

Re:At talk right now ... NON-ISSUE! (0)

Anonymous Coward | more than 3 years ago | (#33097750)

Yeah, anyone who had actually found an attack vector to install this rootkit could have easily written the rootkit themselves as well.

Nobody important really cared that rooted iPhones with default passwords were compromised via SSH (well, outside of finding it maybe interesting), either.

Re:At talk right now ... NON-ISSUE! (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33098932)

Where's the fanboyism in this? Anyone with a jailbroken iPhone has exactly the same "vulnerability", and that's that they could install untrusted code with arbitrary privilege. There is no remote attack vector, and for any phone in its stock configuration, there isn't even a local one.

But you keep on rocking with that persecution complex.

I Don't Care (1)

birukun (145245) | more than 3 years ago | (#33097058)

I only do online banking with my phone.... all the important stuff like Facebook and Twitter I ONLY do from my Windows 2000 machine at home. (Security through Obscurity - you should try it sometime)

"Walled Garden": BAD! "Open Sores": GOOD! (1)

Chris Tucker (302549) | more than 3 years ago | (#33097072)

"Paging Ed Felten. Will a Mr. Ed Felten please pick the white courtesy 'PWN', please? Thank you!"

That's what they think. (1, Troll)

blair1q (305137) | more than 3 years ago | (#33097636)

I bet the Android rootkit isn't the only rootkit on that CD... I for one wouldn't put anything I obtained at DefCon into any equipment I owned. Maybe not even into my shredder.

Re:That's what they think. (1)

Nyder (754090) | more than 3 years ago | (#33098760)

I bet the Android rootkit isn't the only rootkit on that CD... I for one wouldn't put anything I obtained at DefCon into any equipment I owned. Maybe not even into my shredder.

Ya, that happened to me. Had a disc with some virus & trojans on it. I put it in my electric shredder and sure enough, my shredder got infected. Then it, using the electric outlet, infected my oven, my fridge, my alarm clock and dang it, my computer.

That's why you should never shred anything.

Fixed By Monday (1)

skyggen (888902) | more than 3 years ago | (#33097808)

Yeah, this happened quite bit in the early days of Linux. Exploits were found and freely shared and patched within a couple of days. Come on even apache had some exploits or improperly set-up. This only seems strange from the Cathedral paradigm, wheres in the bazaar this is a normal occurrence.

It roots my phone? (1)

Eggbloke (1698408) | more than 3 years ago | (#33098340)

This thing can root my phone without flashing new firmware? Where can I get it?

R2D2 (0)

Anonymous Coward | more than 3 years ago | (#33098956)

Well, interestingly enough a possible exploit (admittedly not super critical) was demonstrated couple of hours later at defcon 18. The presenter demonstrated how you can exploit the Bluetooth vulnerability CVE-2010-1084 to get root access to an android device not having Froyo (which is pretty much everyone). So attack vectors do exist, just give the hackers some more time.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...