Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher To Release Web-Based Android Attack

timothy posted more than 3 years ago | from the oopsie-daisy dept.

Cellphones 136

CWmike writes "A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android (video) when the victim visits a website that contains his attack code. The bug used in Keith's attack lies in the WebKit browser engine used by Android. Google said it knows about the vulnerability. 'We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser,' Google spokesman Jay Nancarrow confirmed in an e-mail. 'The issue does not affect Android 2.2 or later versions.' Version 2.2 runs on 36.2 percent of Android phones, Google says"

Sorry! There are no comments related to the filter you selected.

Anything that gets phone makers to update... (3, Insightful)

mykos (1627575) | more than 3 years ago | (#34132478)

So many phone makers seem to think the worst thing in the world is to provide users an official update. Maybe this will get them in gear.

As an aside, does anyone know what phone makers are good about keeping updates coming?

Re:Anything that gets phone makers to update... (2, Informative)

Anonymous Coward | more than 3 years ago | (#34132490)

Still waiting for 2.2 from Samsung... so not them!

Re:Anything that gets phone makers to update... (3, Informative)

stoolpigeon (454276) | more than 3 years ago | (#34132648)

If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

Re:Anything that gets phone makers to update... (2, Insightful)

toastar (573882) | more than 3 years ago | (#34133010)

If you are on the Galaxy S like I am, Froyo started rolling out today in the UK [androidcentral.com] - hoping the US is not far behind.

If you have root like I do, you probably have had froyo for months

Re:Anything that gets phone makers to update... (1)

cwtrex (912286) | more than 3 years ago | (#34134040)

I have been researching roms and kernels for the Samsung Epic, which of course is a CDMA phone and has 4g. You didn't mention which Samsung S you have, but are you aware of a rom that is Froyo and also has CDMA, Wifi, and 4g capabilities for the Samsung Epic?

Is there a way to keep the stock rom, but force it to upgrade to froyo using root?

Re:Anything that gets phone makers to update... (2, Insightful)

peragrin (659227) | more than 3 years ago | (#34134200)

And this is one of the main reasons not to get an Android phone. In order to get upgrades you have to root(jailbreak) the phone. Apple may be a control freak, but at least they are willing to support their products for more than 6 months.

  So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

Re:Anything that gets phone makers to update... (0)

Anonymous Coward | more than 3 years ago | (#34134424)

uh, what? I think you just don't like android.

people root for additional features, not just "upgrades". People do happen to care about more than froyo, not everyone is a horse with blinders on.

examples: the shit the carriers take away: removal of bloatware, tethering, adding a percentage to the battery status as opposed to a "low/medium/high/full" battery status, changing the user interface, adding swype to phones that didn't have it, etc.

Android phones don't die off at all, people are still using the cliq and other phones that got upgraded to 2.1. I know people who still use the G1 because it is still being upgraded (hello? cyanogenmod?). What happens is no different than iphone: the old hardware isn't as good as the new hardware, and the new phones are also cheaper cost-wise.

Don't get me wrong, I don't mind google but don't love em, but when it comes to mobile phones they are the best for now - windows 7 phone doesn't even hold a candle to it nor is it intended to. [anandtech.com] . So until we get some better competition (which currently doesn't exist - iOS is not it), google will remain the best game in town.

Re:Anything that gets phone makers to update... (2, Informative)

GooberToo (74388) | more than 3 years ago | (#34135048)

By your definition, Apple's products complete fit the bill. In fact, given one product problem after another, even without your comments, they seemingly fit the bill. Though honestly, I don't believe your assessment of the market, Android+iPhone is even close to reality.

Just the same, Android phones vary widely in fit, function, and quality. Some even exceed the iPhone's quality by a wide margin. Android's success is not because "resistance is futile" mentality as you attempt to push. Its succeeding because they cover every market segment; including the "cheap" market to well beyond what Apple currently provides.

Re:Anything that gets phone makers to update... (1)

jDeepbeep (913892) | more than 3 years ago | (#34135258)

So many Android phones have come and gone one would think that an game AI was trying to find the right product. I just realized Android phones are the Zerg of cell phones. Cheap, mass produced, and die off quickly.

I'd have to agree with you. I have a Droid Eris that Verizon has declared end -of-life in under a year of its release, and they have also stated it will never be updated to 2.2. I have no choice but to root the phone, since I'm not going to buy a newer, shinier unsubsidized device at $600+ a pop.

Re:Anything that gets phone makers to update... (2, Insightful)

jeffmeden (135043) | more than 3 years ago | (#34134648)

If you have genuine security needs (and concerns) like I do, you wouldn't touch a rooting system and hacked rom with a 10 meter patch cord. Hoping for increased security by running "newer" code from completely untrusted sources... What could possibly go wrong?

Re:Anything that gets phone makers to update... (3, Informative)

Johnny O (22313) | more than 3 years ago | (#34132714)

Samsung or Sprint (I forget which) already stated that the Moment (which I am posting this from) will NOT be getting 2.2. We are STUCK with 2.1.

Re:Anything that gets phone makers to update... (1)

Anonymous Coward | more than 3 years ago | (#34132798)

2 year contract, 6 month technology cycle. Didn't you expect this? I know I did when I bought mine. Just root the sucker and put on a third party rom, which runs incredibly better anyway.

Re:Anything that gets phone makers to update... (1)

Johnny O (22313) | more than 3 years ago | (#34133918)

I came with 1.5. I was PLEASANTLY suprised they upgraded to 2.1. Lots of other phones released at the same time are going 2.2. This one was abandonded. Android 2.2 comes with tethering and Sprint doesn't want that (without fees).

Re:Anything that gets phone makers to update... (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34134030)

"I came with 1.5."

You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

Re:Anything that gets phone makers to update... (1)

jeffmeden (135043) | more than 3 years ago | (#34134672)

"I came with 1.5."

You are a serious enthusiast. I am loved my first Android phone, as well as my recent one, and I plan on getting the Mytouch HD now that is has been released, but I never came; it didn't even get me hard.

You are overlooking the possibility that he is a sentient smartphone and was merely referring to the software which was preloaded at birth...

Re:Anything that gets phone makers to update... (1)

Nerdfest (867930) | more than 3 years ago | (#34132514)

Why would it? In most cases they almost seem to be of the attitude that "You bought it, now it's your problem".

Re:Anything that gets phone makers to update... (0)

4phun (822581) | more than 3 years ago | (#34133018)

Why would it? In most cases they almost seem to be of the attitude that "You bought it, now it's your problem".

It is sad to see this is the norm for the Android World. If a person isn't a Geek who can tinker with the OS without creating a brick, I recommend normal people buy Apple.

Apple has far more to loose if a problem needs to be corrected or new features need to added. Apple is already rolling out a major firmware update to iOS4 on Sunday November 7, 2010 which fixes an alarm error on all mobile OS devices and adds one hundred new features to the iPad. The iPad has been out only seven months and look what Apple is giving those who bought the very first ones during that period.

Motorola, HTC and all the rest could take a page from Apple and take better care of their customers. Right now about 2/3 of all existing Android customers are screwed because of this researcher's ill advised move and the indifference of many hardware manufacturers who have used Android.

Re:Anything that gets phone makers to update... (1, Insightful)

mini me (132455) | more than 3 years ago | (#34133170)

Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.

Re:Anything that gets phone makers to update... (1)

mcvos (645701) | more than 3 years ago | (#34133498)

Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.

Re:Anything that gets phone makers to update... (0, Flamebait)

rainmouse (1784278) | more than 3 years ago | (#34133744)

When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us.

You say that 3 years before Apple technology is obsolete and basically abandoned by its manufacturer and pretend that its both acceptable and better than any other manufacturer? Please could you provide some kind of backup to this claim?

Re:Anything that gets phone makers to update... (1)

mcvos (645701) | more than 3 years ago | (#34133938)

How is support for the HTC G1? How many other 3 year old phones still get regular updates?

I'm not saying it's acceptable, I'm just pointing out Apple isn't any worse than any other manufacturer in this. And it's not exactly surprising, considering the networks want to sell us a phone every two years.

At the moment, the only way out of this is to make sure you own your phone, and aren't tied to a manufacturer or network to keep your phone up to date.

Re:Anything that gets phone makers to update... (1)

peragrin (659227) | more than 3 years ago | (#34134924)

HTC support their phones for 6-12 months. maybe it depends on how many units sold.

Carrier supplied phones are still using android 1.5, 1.6

Apple is literally 3 times better at old software updates than everyone else who sells phones.

Re:Anything that gets phone makers to update... (1)

rainmouse (1784278) | more than 3 years ago | (#34135220)

Apple is literally 3 times better at old software updates than everyone else who sells phones.

As I said before, please back up these claims. Without proof or some kind of source these could well just be figures plucked from thine own bunghole.

My partners android phone with Orange has been automatically updated to 2.2, why would carriers be supplying phones using android 1.5? Again back up your claims with evidence or a link to something other than ranting on a forum please.

Re:Anything that gets phone makers to update... (1)

mcvos (645701) | more than 3 years ago | (#34135378)

My partners android phone with Orange has been automatically updated to 2.2,

And that phone was 3 years old? I'm impressed!

Re:Anything that gets phone makers to update... (1)

peragrin (659227) | more than 3 years ago | (#34135420)

The HTC Aria came out in may/June 2 months after the offical 2.2 Froyo came out.

It still isn't updated to 2.2 stock. HTC won't do it. ATT won't do it.

HTC Hero is also officially only android 2.1 with no official updates yet.

instead of being an asshole why don't you go look it up. Here is the problem, you have to look up every phone by each carrier separately to find out if an update may or may not be forth coming. Even then half the time they refuse to list what version of android is avialable unless it is the latest.

If HTC can't update phones released since the official Froyo release, what makes you think they will update phones that are older than froyo?

Re:Anything that gets phone makers to update... (1)

poetmatt (793785) | more than 3 years ago | (#34134432)

really? The original android phone has no problem with froyo 2.2, the original droid has no problem with 2.2.

It's not about hardware, it's whether people are willing to make it work.

Re:Anything that gets phone makers to update... (1)

Culture20 (968837) | more than 3 years ago | (#34134904)

Apple might give you a few updates when you first purchase your device, but they soon stop coming too. First generation iPhone and iPod touch owners are already without the option of upgrading to iOS 4.

Probably because the hardware is not compatible enough anymore. When technology moves as fast as this, a 3 year cycle is still better than what many other manufacturers give us. Networks expect us to get a new phone every two years.

iPhone 2G users also didn't get security patches for the pdf security vulnerability found immediately after the iOS4 release (which was reported to work on older versions). Apple just said "3 years of security updates is enough for any computer that happens to have a phone built in".

Re:Anything that gets phone makers to update... (1)

mcvos (645701) | more than 3 years ago | (#34133494)

Motorola, HTC and all the rest could take a page from Apple and take better care of their customers.

Personally I'd appreciate it if Motorola took a page from HTC and didn't use an encrypted bootloader, so I can update the OS myself.

Re:Anything that gets phone makers to update... (4, Interesting)

cheater512 (783349) | more than 3 years ago | (#34132530)

N900 is pretty good. 3 core updates (I think) so far plus a upgrade to Meego when it is finished.
Also half the price of similar phones.

Re:Anything that gets phone makers to update... (1)

mcvos (645701) | more than 3 years ago | (#34133502)

Really? It was still $500 when I considered the N900. (I chose against it because I don't want a stylus; I want multitouch.)

Re:Anything that gets phone makers to update... (1)

Doug Neal (195160) | more than 3 years ago | (#34133988)

But the catalog of applications available is dire. Nobody is developing for it. Yes there are a few apps which are really cool, but they're the exception, and they don't have the same level of polish as you'd expect from Android or iPhone apps. And still no decent Webkit browser!

I'm dumping my N900 for an Android device as soon as I'm out of contract. Sad really because the hardware is excellent, and it had a lot of potential.

Re:Anything that gets phone makers to update... (1)

cheater512 (783349) | more than 3 years ago | (#34134214)

Erm...Why do you want a Webkit browser?
Its got essentially raw Firefox and all its capabilities.

As alternatives it has Fennec and Opera as well.

Re:Anything that gets phone makers to update... (1)

Doug Neal (195160) | more than 3 years ago | (#34134264)

Because Webkit is superior to Gecko - it's faster and it uses less memory. The built in MicroB browser is not very quick. Fennec is even worse. The GUI responses lag behind the input noticeably.

I wasn't aware of Opera being available for the N900 though, I will give it a try.

Re:Anything that gets phone makers to update... (2, Insightful)

rmcd (53236) | more than 3 years ago | (#34132670)

One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

The other problem is that hardware becomes outdated and perhaps challenging to update. T-mobile just started updating the MyTouch 3G (which I have). This is a 15-month-old phone running stock android, and I think it took them a long time because the hardware is old.

I don't think this is as trivial a problem as some of the commenters would suggest.

Re:Anything that gets phone makers to update... (1)

causality (777677) | more than 3 years ago | (#34132856)

One problem is that the phone makers insist on idiotic customizations of the android interface, so updates can take a long time because they have to update the customizations as well as the OS.

Emphasis added.

I don't think this is as trivial a problem as some of the commenters would suggest.

It's trivial because those customizations that hinder updates are idiotic. If they were important and non-essential then it would be non-trivial. As it stands, the problem is very easy to solve.

Re:Anything that gets phone makers to update... (1)

rmcd (53236) | more than 3 years ago | (#34133156)

You're right, but ...

It's easy to solve if customers demand clean implementations. I don't see that happening anytime soon. No one I know (apart from friends who are the type to read slashdot) even knows what android is, let alone the difference between "with google" and not.

Re:Anything that gets phone makers to update... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34132676)

Dude, it's Android. You can download it from Google. Quit being lazy.

P.S. - Obammy is Hillary's cabana boy. Any of you bitches still glad you voted for that inexperienced no-nothing in the primary instead of Hillary? LOL, I just listened to Donald Trump calling all of our elected officials idiots for sending jobs out of the country and then not understanding why they can't get the unemployment rate down. He's right. They're a bunch of mongoloid douchebags - the whole fucking lot of them. Especially that cunt Nancy Pelosi. Has she been running the House from Mars, because she seems COMPLETELY detached from reality?

Re:Anything that gets phone makers to update... (4, Interesting)

bhagwad (1426855) | more than 3 years ago | (#34132732)

Won't it be nice if someone sues a carrier for not providing updates because of which their phone was hacked and valuable data lost? It'll be like a wet dream come true for me :D

Re:Anything that gets phone makers to update... (1, Insightful)

khchung (462899) | more than 3 years ago | (#34133440)

Won't it be nice if someone sues a carrier for not providing updates

So you would be happy to encourage carriers to pick phones that do not have updates so they won't be liable for not providing the updates to customers?

Re:Anything that gets phone makers to update... (2, Informative)

Zarf (5735) | more than 3 years ago | (#34132786)

Motorola Droid has had every update so far.

Re:Anything that gets phone makers to update... (1)

markhb (11721) | more than 3 years ago | (#34134916)

Yeah, well, I've got the original CLIQ, which is just getting the long-awaited upgrade from 1.5 to 2.1, with very few hopes of getting an official bump to 2.2. I wonder if they can backport the WebKit fix from 2.2 into 2.1 without breaking everything in sight.

Re:Anything that gets phone makers to update... (0)

Anonymous Coward | more than 3 years ago | (#34132872)

I've never once waited for an upgrade for my BlackBerries.

1. This sh*t doesn't happen.
2. I can download the update myself, from BlackBerry, to my PC, and apply it.

Re:Anything that gets phone makers to update... (1)

zarthrag (650912) | more than 3 years ago | (#34133054)

My nexus one gets 100% pure updates through T-mobile. If I'm impatient, I can run official builds directly from google. No missing features, no custom UI elements. I'll have tethering for free while everyone else pays, and any other feature Google releases that doesn't defy my hardware.

Re:Anything that gets phone makers to update... (1)

peragrin (659227) | more than 3 years ago | (#34135248)

The Nexus 1 uses stock android though.

the majority of HTC models lag 6-12 months behind in updates simply because they have to make sure their UI updates correctly on the older hardware. It is also why HTC stops updating phones much earlier than apple does simply because it becomes far to much work for a limited group that you want to purchase new phones anyways.

Re:Anything that gets phone makers to update... (0)

Anonymous Coward | more than 3 years ago | (#34133424)

HTC were speedy to get Froyo to my Desire.

Re:Anything that gets phone makers to update... (1)

rwa2 (4391) | more than 3 years ago | (#34134374)

As an aside, does anyone know what phone makers are good about keeping updates coming?

Um, anything supported by CyanogenMOD [slashdot.org] ? I specifically shopped for a phone on their list.

Not as convenient as OTA updates, sure. But there's enough good stuff in there to make it well worth the effort to flash from 2.1 to 2.2

Re:Anything that gets phone makers to update... (1)

trcooper (18794) | more than 3 years ago | (#34135178)

HTC and Verizon have been good on the Incredible. The second update to the phone in 6 months is set to go next week. This will be a minor update to the Froyo release that went out in August / September I believe. I also expect that we'll see Gingerbread a month or two after it's released.

 

And the rest? (1)

AlanCramer (1132757) | more than 3 years ago | (#34132486)

What about the rest on versions lower than 2.2?

Re:And the rest? (0, Troll)

MichaelKristopeit162 (1934888) | more than 3 years ago | (#34132610)

"the rest on versions lower" implies that the only quoted number "32.6%" included 2.2 and above... as stated, it doesn't.

what about the percent on versions above 2.2?

Re:And the rest? (0)

Anonymous Coward | more than 3 years ago | (#34132628)

Seriously, what did you actually contribute to this discussion?
Just a brief look at your post history, I wonder what you really want to achieve in this world.

Re:And the rest? (-1, Troll)

MichaelKristopeit161 (1934886) | more than 3 years ago | (#34132704)

you're an ignorant hypocrite.

why do you cower? what are you afraid of?

you're completely pathetic.

The Response MichaelKristopeit Deserves (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#34132888)

you're an ignorant hypocrite.
why do you cower? what are you afraid of?

I cower because of niggers.

Do you like niggers? I like niggers. If you don't like niggers then you are a racist. I am so afraid, so very afraid. Of niggers.

Anyone with multiple accounts is a nigger, so of course you like niggers. Can't hate your own kind and all of that. Nigger.

Naturally, hiding your name behind "Anonymous Coward" is totally different from hiding your karma score behind a bunch of sockpuppet accounts. That last sentence was sarcasm, you hypocritical jigaboo.

Re:The Response MichaelKristopeit Deserves (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34132924)

My girlfriend is an AC. Help me reclaim my girlfriend. Are you my girlfriend?

Re:The Response MichaelKristopeit Deserves (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34132982)

My girlfriend is an AC. Help me reclaim my girlfriend. Are you my girlfriend?

If I don't like your girlfriend does that make me a sexist?

Even if it does, Thank God I'm not that fucking douche bag named Michael Kristopeit. It must take a tiny little micropenis to want to maintain that many Slashdot accounts. I guess he sets them all to notify on a message reply by e-mail and sends them all to the same e-mail address, else he'd never keep track of them all. You really have to feel sorry for him. He's the strongest argument for pro-choice that I know of. I'd call him a cunt but at least a vagina has useful purposes. I'd call him a piece of shit but a turd is capable of fertilizing a plant and therefore has a useful purpose. I really don't know what to call him. He's just a worthless sock-puppet cunt registering piece of useless shit. That's putting it mildly.

Re:The Response MichaelKristopeit Deserves (-1, Offtopic)

MichaelKristopeit162 (1934888) | more than 3 years ago | (#34133216)

ur mum's face fucking douche bag, coward.

why do you cower? what are you afraid of?

you're completely pathetic.

Re:The Response MichaelKristopeit Deserves (0, Offtopic)

MichaelKristopeit161 (1934886) | more than 3 years ago | (#34133200)

i am not hiding.

i am at 4513 brittany ct. in eau claire, wi.

you are cowering.

what specifically makes you cower?

what makes you believe anyone couldn't hat their own kind? what else is there to that? who told you that?

you're an idiot.

Apple = "Jailbreak", Android = "Risk"? (2)

TaoPhoenix (980487) | more than 3 years ago | (#34132492)

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS? However, there many users first feeling was some relief from the monolithic Apple gate system, but here on Android the spin feels more like traditional tech news.

Risk outweighs benefit (2, Insightful)

tepples (727027) | more than 3 years ago | (#34132630)

Isn't this roughly similar to the effects obtained by the earlier exploits on iOS?

Technically it is. But unless you bought your Android phone from AT&T, you have the option to put in your own command prompt through "Unknown sources". So any jailbreaks for Android are considered less necessary, and the risk outweighs the benefit.

Re:Risk outweighs benefit (2, Interesting)

the_humeister (922869) | more than 3 years ago | (#34133000)

Even if you do have an AT&T Android phone, which I do, it is still possible to use apk (a tool found in the Android SDK) to transfer programs to the phone. It's pretty simple to use too. Of course, to get rid of the crapware AT&T installs, rooting is still required.

Re:Apple = "Jailbreak", Android = "Risk"? (0)

Anonymous Coward | more than 3 years ago | (#34132678)

Yes, when something like this happens on iOS it's a security issue too. Even the jailbreak authors agree that userland exploits should be patched by Apple ASAP.

Re:Apple = "Jailbreak", Android = "Risk"? (1)

mcvos (645701) | more than 3 years ago | (#34133518)

There was that one time when a major vulnerability was presented (even here!) as a very convenient way to jailbreak your iPhone. Just visit this website!

Re:Apple = "Jailbreak", Android = "Risk"? (1)

TaoPhoenix (980487) | more than 3 years ago | (#34134276)

Yes, that especially was the one I was thinking of.

That so called Researcher should be arrested (0, Troll)

bogaboga (793279) | more than 3 years ago | (#34132532)

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

Re:That so called Researcher should be arrested (1)

js3 (319268) | more than 3 years ago | (#34132538)

irony

Re:That so called Researcher should be arrested (1)

MichaelKristopeit161 (1934886) | more than 3 years ago | (#34132616)

testing security infrastructure for consenting users

Re:That so called Researcher should be arrested (1)

tepples (727027) | more than 3 years ago | (#34132620)

How can he be permitted to release something, which when used as intended, does harm to others?

For the same reason that tobacco manufacturers are permitted the same thing.

Re:That so called Researcher should be arrested (4, Insightful)

sitharus (451656) | more than 3 years ago | (#34132638)

Because we've seen from history that most companies won't patch an exploit unless it's screaming at them, and that most exploits are picked up by people who wish actual harm on you before security researchers find them.

Hopefully this will force some device manufacturers to release 2.2 updates for their devices, and with any luck it'll teach them to stick with stock android rather than loading crapware.

Re:That so called Researcher should be arrested (1)

TaoPhoenix (980487) | more than 3 years ago | (#34134292)

50% tangent, MS Security Essentials is flagging Firesheep on me, even though it's more of a security risk to *other* people. They're banking on the lowest X % being so scared to get away from the "Nice Safe Green" effect.

Re:That so called Researcher should be arrested (3, Interesting)

jhigh (657789) | more than 3 years ago | (#34132668)

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

He is publishing code that can be used to exploit a vulnerability. This could be used for malicious purposes, or it could be used for security demonstrations, as an example to be taught to infosec students or any of a ton of other academic and/or security-related purposes. He is not actually using the code to do anything malicious. Please tell me exactly what statute he is in violation of? Are you saying that no one should ever publish code for exploits?

Re:That so called Researcher should be arrested (1)

cosm (1072588) | more than 3 years ago | (#34132674)

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

Either your just whooshing, or you just got whooshed by the submitter and the rest of this community.

Re:That so called Researcher should be arrested (1)

santax (1541065) | more than 3 years ago | (#34132742)

I can understand your point of view. But look at mine pov. It's better to have a dude with an agenda including things as: job improvement, proof of concept releasing this then it it that Group X with selfenrichment AND costing damage to you releases it. It's gonna be released anyway. That's for sure.

Re:That so called Researcher should be arrested (2, Informative)

phantomfive (622387) | more than 3 years ago | (#34132802)

This is a known exploit, Google has patched it. It isn't like this is some secret thing that no one would have known about if he didn't release it; anyone who actually cares (and has the technical ability) already has the exploit. So he is not harming you really.

Typically it is considered bad form for security researchers to release exploits before informing the manufacturer. Once the manufacturer has long enough to fix it, if then it is ok to release it. Experience has shown that sometimes this is the only way to pressure manufacturers into patching it.

Another use for the code is so you can learn. I appreciate it when researchers release the code; a lot of hackers try to keep their techniques secret, and we are all worse off for it.

Re:That so called Researcher should be arrested (1)

Anonymous Coward | more than 3 years ago | (#34132912)

As the owner of a Samsung Galaxy S phone, the manufacturer Samsung has released its 2.2 version for a while. Unfortunately, since I'm under the TMobile carrier, I'm still stuck with 2.1. They said it'll be updated by the end of the year, and every time TMo makes a prediction, it usually takes another 3 months - so March 2011 for me. Why the delay? Probably to keep its bloatware and layout working.

I'll be luck if I don't lose my data by then.

Re:That so called Researcher should be arrested (1)

phantomfive (622387) | more than 3 years ago | (#34132932)

You won't lose your data. The exploit doesn't allow full access to the phone. Still, you ought to have a backup of all that data anyway, in case your phone gets run over by a truck.

Re:That so called Researcher should be arrested (1)

BrokenHalo (565198) | more than 3 years ago | (#34133178)

...in case your phone gets run over by a truck.

That isn't as silly as it sounds. I drove my tractor (twice - forwards and backwards) over my Motorola Razr2 V9 a few months ago. Funny thing is, although the phone looked a bit of a mess, it was still working after that. I guess that qualifies as an endorsement. :-}

Re:That so called Researcher should be arrested (1)

RMH101 (636144) | more than 3 years ago | (#34133688)

I was tempted on several occasions to drive over my old RAZR, or throw it out of the window. I always thought that Moto's hardware designers might have put some extra effort into the robustness of the handset given they knew what software was going to end up on there...!

Re:That so called Researcher should be arrested (1)

BrokenHalo (565198) | more than 3 years ago | (#34133766)

Agreed about their software. But I don't use the device for much more than making calls and sending text messages, for which it's adequate. That handset is really beginning to flake out now, so I'll have to take a look at the competition. Yes, I am still using it - in a way, it's kind of cool to have a phone that has been so extensively abused. ;-}

Re:That so called Researcher should be arrested (0)

Anonymous Coward | more than 3 years ago | (#34132806)

Stop being retarded. Code doesn't do any damage, like books don't do damage. It is the application of that knowledge in certain ways that does damage.

No code release is necessary, just research what API call is broken and how. The purpose of such information is to fix the bug and allow for users to mitigate the attack vector, if possible. Without this information, only black hats can steal your information without you even being aware it was possible.

Or are you saying that gun owners, manufacturers and designers and people that write books on how guns work should immediately be arrested, because gun's *sole purpose* is to kill things? After all, that is what you just wrote..

Re:That so called Researcher should be arrested (0)

Anonymous Coward | more than 3 years ago | (#34132902)

"A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet. The attack targets the browser in older, Android 2.1-and-earlier versions of the phones.

How can he be permitted to release something, which when used as intended, does harm to others? This is insane...and he does it "in the light of day!"

Other tools that folks have used to harm others have dual use...but for this code, I do not see any use save for harm. What am I missing?

I don't have any points. Mod parent troll/flamebait. Obvious troll is obvious troll.

WhatTheFuck (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34132614)

Where is Homeland Security and their KisterKops the Transportation Security Agency?

Really! What we need, now that the Republicans have taken control of the US Federal Government away from Perv. Obama is to dial-up a USAF thermonuclear bombing run on DHS in DC, then dial-up FBI to give Obama an arscenic enema to get the walking-dead fucker out of the way.

In the mean time GWB gets a letter bomb wrapped in a condom. See the lushous dildo he will put it in his mouth (Freudian Suck).

Re:WhatTheFuck (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34132800)

Barack Hussein Obama is the love child of Strom Thurmond and Shaquita OngogoBobo. He enjoys protected status in the United Soviet States of Amerika.

The U.S. Military and the DHS are pumpin' out litters by the six-pack. The U.S.S.A. is a nation of goddamn swine. We should make a satrical cartoon movie in the spirit of Team America that's less cute and more infuriating. Americans will be portrayed as loud, greedy, impatient swine driving oversized vehicles. Their apartments will be riddled with piglets, empty pizza boxes and McDonald's bags, and pig shit. A touching musical moment could be when Sergeant swine(back from his first tour) and his 20 year old pink-trash bride decide to have another litter right before he goes back to war. The Americans can squeal and be comically splattered into ham and bacon when they are asploded by the Arabs' roadside bombs. They could also be seen shitting and peeing gratuitously onto foreign lands, a fetid symbol of the primitive territorial urges of their colonialism. And lots of God, on both sides, to show their redeeming qualities.

The Arabs would be portrayed as simultaneously mean but cowardly dogs. The Arab-dogs will go into closets or otherwise off-screen when they mate, sometimes with puppies. That will symbolize their bigamous, pedophilic, sexually repressive society of savagery. Of course the attack dogs would be portrayed as being emaciated and at wit's end, bowing in unison to the fat mosque dog ("Allahu Arf-Arf!")which is later seen cocktail-partying and shaking hands with America's fat-pig leadership, just like when Bin Laden shook the CIA's hands after being granted safe passage to Pakistan on 9/11.

Re:WhatTheFuck (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34132824)

yep. Barack Obama's pervert TSA goons will molest children and grope your cock and balls. High school meathead dropouts and other degenerates finger-banging women for national security. How many terrorists have they caught?

And don't forget about Qualitative easing" aka printing money aka 10+% inflation..

Welcome to the community (1)

gmuslera (3436) | more than 3 years ago | (#34132658)

Thomas A. Anderson is specialized in killing Agents, John Connor in killing Terminators, and now M.J. Keith kill Androids... that comes just in time when Hollywood was running out of ideas for a new movie.

Re:Welcome to the community (1)

jokermatt999 (1536127) | more than 3 years ago | (#34135310)

They already had a guy for that; he was played by Harrison Ford.

Misleading Headline (1)

Farmer Tim (530755) | more than 3 years ago | (#34132690)

I read the headline and immediately thought a mad scientist was about to unleash an army of things resembling a cross between Spiderman and the Terminator, and we should all cower in terror in our makeshift basement bunkers awaiting our inevitable destruction.

But TFA revealed it's just a smartphone hack.

All we need is a brand of toilet paper called "Flying Car" and my disappointment with the 21st century will be complete.

Ratings (1)

tpstigers (1075021) | more than 3 years ago | (#34132694)

Headline = 1,000,000 points. Copy = I don't know - about a dozen points. Maybe.

.. SE Users will suffer most .. (0)

Anonymous Coward | more than 3 years ago | (#34132894)

.. as usual .. SE will NOT release timely android updates - and we will suffer because of this .. uggh ..

Class Action Lawsuit? (3, Insightful)

JSBiff (87824) | more than 3 years ago | (#34132962)

I wonder if there is any law which covers this sort of situation. The original G1 was only released like 3 years ago - not really very old, but T-Mobile has completely abandoned owners/users of the G1 and is not providing any additional updates.

Honestly, I blame Google. From day 1, it should have been mandatory that OS updates would come from Google, forever. Carriers don't give a crap about keeping users in updated code once the phone is sold. To them, it's just a device which comes in a box, gets sold, and if it becomes 'obsolete' within 2 years, well that's just another box they can sell you in 2 years.

It's absolutely inexcusable that a programmable, Internet enabled device of the complexity of a G1 should not have guaranteed security updates for the included software, for a minimum of 10 years.

Re:Class Action Lawsuit? (2, Interesting)

getto man d (619850) | more than 3 years ago | (#34133038)

Google and the hardware manufacturers are both to blame; Google (for the reasons you stated) and the manufacturers for adding in their 'own' elements departing steadily from vanilla android.

I've seen many comments on /. how Android is amazing, especially since it is fragmented (linux and windows arguments) but this is the worst possible case for the mobile platform, IMHO. Unless of course you don't mind upgrading your phone every 'x' amount of years. Some of us don't have the spare $$ and truly want a device that is current without modding.

Re:Class Action Lawsuit? (0)

Anonymous Coward | more than 3 years ago | (#34133646)

Android 2.0/2.1/2.2 absolutely did not, will not, and could not run on the G1 without major substantial modification. T-Mobile provided the last update before that, 1.6 (Donut). Even CyanogenMod have yet to release an equivalently stable update for 2.0+ on the G1 - and some features, like Live Wallpapers and Navigator, will never work acceptably because of h/w limits. Plus Cyanogen changed so much it honestly can't be called 2.2 anymore (different launcher, kernel etc).

Re:Class Action Lawsuit? (1)

JSBiff (87824) | more than 3 years ago | (#34134436)

I accept that the G1 can't do all the things that phones with faster CPUs, more RAM, and more flash memory can. I'm not talking about updates to the latest-greatest version of Android. I mean simply fixes for things like this exploit - Google might say that upgrading the entire OS might fix the problem, but they should also be prepared to offer *small* OTA fixes for older versions of Android to address problems just like this, and the carriers need to get those fixes out to the handset owners. Fix the kernel, if it needs it, or .so libraries, or dalvik class files which have specific problems.

I just want my phone to be able to keep working at the level it was originally sold at, but an exploit like the one discussed in this article could potentially brick my phone (or, if my phone becomes 'owned' and I can't clean it, I'll be forced to stop using it even if it technically still works, so it would *effectively* be bricked, from my standpoint).

Re:Class Action Lawsuit? (0)

Anonymous Coward | more than 3 years ago | (#34133844)

Requiring mandatory OS updates how?

By their contract with the carriers? Do they have such at all? If they do, I'm sure the carriers would cook their own Android without signing any contracts in the first place, if Google started to require too much.

By their license? This would make Android non-free, which would kinda kill the point.

Re:Class Action Lawsuit? (1)

Psiren (6145) | more than 3 years ago | (#34134096)

10 years support for a phone is never going to happen, and it shouldn't. A ten year old device like that would be hopelessly outdated. Even something 2 years old looks pretty pathetic nowadays. They should however be forced to provide updates for the duration of your contract. I know mobile contracts over in the US are pretty fucked up, but here in the UK my current phone is on a two year contract. I just got the update to 2.2 yesterday, but I've still got another 20+ months of contract to run. That's certainly going to cover 2.3, and probably the next version too. I really would like to know that I can have those updates when they're made available.

Re:Class Action Lawsuit? (2, Interesting)

Woek (161635) | more than 3 years ago | (#34134148)

One of the selling points of the Google Nexus One phone was direct support from Google, and therefore the quickest updates. The phone is quite a bit more expensive than the HTC desire/incredible, which is practically the same phone.

Re:Class Action Lawsuit? (2, Interesting)

TimTucker (982832) | more than 3 years ago | (#34134532)

This was also a selling point of the ADP1 (basically the developer version of the G1). Some of us did shell out early for an unsubsidized Android phone with the expectation that it would be directly supported by Google.

Re:Class Action Lawsuit? (0)

Anonymous Coward | more than 3 years ago | (#34134194)

From what I understand, the G1 doesn't have the hardware specs to run later versions of Android.

Could be wrong, but pretty sure I read that.

Re:Class Action Lawsuit? (0)

Anonymous Coward | more than 3 years ago | (#34134244)

Did you see the acrobatics that went into getting froyo to run on G1/MyTouch? Up until T-Mo released their OTA the cyanogen version was complete garbage. It really barely fits and the phone can barely handle it performace wise. It can't do live wallpapers, it shouldn't do 3D gallery, it makes programs like swype nearly unusable. It's a stretch. Gingerbread won't run on older phones period. So says google. Hardware gets old fast.

Take a 10 year old computer (hint: 500 mhz and 128 megs ram was good) and try to install the latest ubuntu release and see how well that runs.

Google shold have sold way more Nexus One's (0)

Anonymous Coward | more than 3 years ago | (#34134046)

I don't understand why is it so difficult for people to see the advantages of being "The One" phone officially from Google - Unfortunately this is the reason Google stop selling phones in it's own online store.

And the fixes are available... (0)

Anonymous Coward | more than 3 years ago | (#34135302)

And the fixes are available from whom? Where? When? is Google washing their hands on their crummy product development? Does Google think that because time has passed since they blew it, that their mistakes are trivialized?

Google is more than evil. BTW, don't use Google DNS or every page you visit will become copied by Google, regardless if there is a link to it from any website or not. Google is EVIL. And they will NOT stop downloading even when requested to do so.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?