At the Black Hat security conference this morning, Adrian Ludwig, Google’s lead engineer for Android security, assuaged fears about the recent Android Stagefright vulnerability reported to affect nearly a billion Android devices.
The surge in interest in the Stagefright vulnerability was precipitated by the Black Hat security conference taking place in Las Vegas. It began when Joshua Drake – security analyst with Zimperium who discovered the vulnerability – tweeted about it to promote his Black Hat talk about his discovery, pointing to his place on the conference schedule. A few days after the tweet, Drake gave an interview about the Stagefright vulnerability to National Public Radio (NPR). It was subsequently reported in Forbes, Fortune and Wired, followed by a deluge of related stories across the tech blogosphere.
Drake had reported the vulnerability to Google in April. As Drake told NPR, “Within 48 hours I had an email [from Google] telling me that they had accepted all of the patches I sent them, which was great." Drake also confirmed Google’s assessment, stating “[he] does not believe that hackers out in the wild are exploiting it.”
Members of the computer security industry adhere to a policy of responsible disclosure under which the vulnerability is kept confidential to allow time for the software vendor to patch it. Industry members also have a social responsibility to disclose the vulnerability if he or she feels the risks are great or that the vendor hasn’t promptly patched it.
[Related: Black Hat 2015: Cracking just about anything]
According to Google’s Ludwig, though – and contrary to what was reported by other media outlets when news of Stagefright first broke – 90 percent of Android devices are protected from buffer-overflow vulnerabilities with a technology called Address Space Layout Randomization (ASLR). Messenger, Google’s SMS app that was reported as the means to exploit the Stagefright vulnerability, will be updated to mitigate the risk of injecting harmful code into a video.
Google also confirmed via email that the vulnerability “was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected.”
Ludwig said that this fix and further safeguards will be pushed to all Nexus devices starting today and Google has already sent the fix to the company’s partners. Ludwig said that many of the most popular Android devices will get the update in August.
Today’s update marks the beginning of a regular monthly cycle of over the air (OTA) updates to Nexus devices that are purely focused on security to keep users safe. Google’s partners will receive the corresponding source code updates each month for inclusion in similar OTA updates.
Buffer overflow what?
The Android Stagefright vulnerability falls into the category of a traditional buffer-overflow exploit. Buffer-overflow exploits have long been a staple used by bad actors to attack every kind of computing device. They’ve undergone much study by university and commercial security researchers, and many different defenses have been formulated.
A posting on stackexchange.com describes the Android Stagefright problem:
“[i]t appears that certain fields in 3GPP video metadata are vulnerable to buffer overflow attacks. In short, a 3GPP video can be given a string of metadata that, at first, exceeds a certain length, and in the end includes machine code that lands in memory that is off-limits to the application.”
Typically, a buffer-overflow exploit writes data to memory until it overflows into a memory location used to execute code. In this case, this buffer-overflow occurs when a video contaminated with malicious code is received by the default Android MMS and Hangout messaging apps. By default, the video is downloaded automatically on arrival. The exploit is named after the Stagefright media framework that was introduced in Android 2.2 that supports local file playback and HTTP progressive streaming.
Google’s early warning system
Google monitors for potentially harmful apps on all the Android devices and on the Google Play Store as an early warning of malicious exploits in the Android ecosystem in much the same way that the Center for Disease Control (CDC) monitors disease outbreaks.
[Related: HP: 100% of smartwatches have security flaws]
At the heart of Google’s early warning system is Verify Apps, a module that checks app installs for malware and runs hundreds of millions of virus-like scans every day searching for code and app behaviors that could potentially be malicious. This lets Google (like the CDC) respond proportionately to threats.
Drake reported that malicious code infecting videos automatically downloaded by the Messenger app could be executed. Google’s Ludwig pointed out in a post to his Google+ page that just because malicious code can be covertly written to memory and executed doesn’t mean that it can cause harm, due to the many defenses modern operating systems have against buffer-overflow exploits – such as ASLR.
Despite these defenses, and Google’s report that an exploit of the vulnerability had not been detected on any consumer smartphones, doesn’t reduce its seriousness; Ludwig told NPR that he ranked its severity to be "high" on the Google security team's hierarchy precipitating this morning’s announcement.
Does Android bring inherent risks?
The exploit does underscore a disadvantage of Android’s open source strategy. The open source approach succeeded in broad proliferation of Android creating a large and diverse ecosystem of hardware makers. Just in Time (JIT) compilation and the Android Runtime (ART) make it possible for Android and all the apps to run on many different hardware designs without the involvement of Google’s Android development team.
Other than the Nexus mobile devices sold through the Google Play Store, though, Google can’t directly update Android over the air. Google is dependent on the hardware makers to update their devices, and, in turn, sometimes the hardware makers are dependent on the mobile carriers to pass through the updates. In contrast, Apple can update its devices more quickly because it controls all the hardware and all the software. Does that mean that Android is at greater risk for security exploits? We don’t know. Android is an open source project. Security researchers as well as cybercriminals are drawn to read the source code for different reasons – one to protect, the other to compromise. Android exploits receive a lot of attention because its openness makes good subject matter for commercial and academic security research. Other platforms such as iOS aren’t as accessible, so they aren’t as frequently discussed.
But no one knows the relative safety of the three different mobile platforms: iOS, Android or Windows 10 Mobile. Google has been reporting Android malware since the Virus Bulletin conference in 2013. Beginning this year, Google began to comprehensively and quantitatively report Android’s safety. The Android Security 2014 Year in Review [pdf] breaks down the frequency and types of Android exploits, and pegs fewer than 0.15 percent of devices using the Google Play store have any kind of potentially harmful app installed. Apple and Microsoft don’t report exploits affecting their platforms, making comparison impossible.