Android Security Hole of the Week: Researchers ID New, Severe DoS Attack
A group of Italian security researchers have discovered a new Android Denial of Service (DoS) attack that can render Google smartphones and tablets useless in a matter of minutes, making it the most severe Android DoS attack ever identified.
CIO Knowledge Space
By Al Sacco, Managing Editor, CIO
This week’s Android security hole of note is a newly discovered flaw in all versions of Google’s Android OS for that could let Bad Guys execute Denial of Service (DoS) attacks and disable users’ smartphones and tablets in two minutes or less.
The “previously unknown” exploit was identified by a handful of Italian professors and security researchers representing the Artificial Intelligence Laboratory at the University of Genoa, Italy, and it supposedly “allows a malicious application to force the system to fork an unbounded number of processes…thereby mounting a Denial-of-Service (DoS) attack that makes the device totally unresponsive. Rebooting the device does not necessarily help as a (very) malicious application can make herself launched [sic] at boot-time.”
The exploit was tested and verified on a number of devices including Samsung’s Galaxy S and Galaxy Tab 7.1, LG’s Optimus One and the HTC Desire HD, according to the researchers. The group has reportedly notified Google of the security flaw, and the hole will be patched, using one of the fixes described in the research paper, in an upcoming Android software update.
From the research paper:
“[W]e presented a previously undisclosed vulnerability on Android devices which is the first vulnerability on Android that leads to a DoS attack of this severity. We also developed a sample malicious application, (i.e. DoSCheck) which exploits the vulnerabilities, and we proposed two fixes for securing the Android OS against the vulnerability. We reported such vulnerability to Android security team which will include a patch in an upcoming update of the Android OS. Furthermore, we plan to publicly release both DoSCheck code and patched systems in the very near future, accordingly with a responsible disclosure policy we are discussing with Android group and Open Handset Alliance.”
Last week, I wrote a post on how I think modern Android security is a real issue, despite recent remarks from “security experts” who suggest the threat is overhyped and merely the product of security-software makers trying to hock their wares. While this latest threat has not been acted upon by hackers or other attackers, at least that I know of, it, along with the various other Android security flaws reported in this blog in recent weeks (1, 2, 3), represents a big ol’ bull’s eye on the Android OS. And it’s only a matter of time before a Bad Guys discovers a major Android flaw and puts it to misuse before a researcher who’s only seeking recognition.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.