Latest Posts

Sports Direct’s Mike Ashley admits paying staff less than minimum wage

Mike Ashley has admitted that Sports Direct effectively paid staff less than the national minimum wage and is in talks about compensating warehouse employees...

iOS bug lets anyone crash your iPhone with a text message

A bug in Apple’s iOS means that anyone can crash an iPhone by simply sending it a certain string of characters in a message. The...

Apple previews new mobile software iOS 8 at WWDC 2014

Apple demonstrated iOS 8, its newest version of its operating system for iPhones and iPads, at its worldwide developers conference in San Francisco. The new...

Networking flaw opens ‘millions’ of iOS app users to data theft

Around 1,000 iOS apps are affected by a weakness in their mobile security which can make it easy for attackers to access encrypted data...

Stagefright: new Android vulnerability dubbed ‘heartbleed for mobile’

A major security flaw in Android lets an attacker take control of a phone simply by sending a text message – and for the vast majority of Android users, there’s no fix available yet.

Even the small number of people using Google’s own line of Android phones, sold under the Nexus brand, are vulnerable to some effects of the bug, according to Joshua Drake, the researcher who discovered the flaw.

74ab31a2-d03c-440f-933b-20ee0aea2518-2060x1236

The weakness affects a part of the Android operating system, called Stagefright, that lets phones and tablets display media content. A maliciously crafted video can be used to deliver a program which will run on the phone as soon as it is processed by Stagefright, potentially letting an attacker do anything from read and delete data to spy on the owner through their camera and microphone.

Worse, Google’s messaging app Hangouts automatically pre-processes videos when they’re received to cut down the delay if the user wants to watch them straight away. That means that if the video is sent as an MMS message, it can take over the phone “before the sound that you’ve received a message has even occurred,” Drake told NPR.

Even with Android’s default messaging app, all the user has to do is view the message to trigger the Stagefright vulnerability. In neither case does the user actually have to play the video in order to be the victim of the hack. But in newer versions of the Android operating system, Google says that users are protected from the worst effects of the bug.

Chris Wysopal, the chief information security officer for app security specialists Veracode, called the flaw “Heartbleed for mobile”, referring to the widespread bug that put hundreds of thousands of websites at risk of hacking in April 2014.

Wysopal said bugs that severe “are exceedingly rare and pose a serious security issue for users”.

Drake revealed details of the bug to Google in April, and provided the company with patches for the errors – in theory, enough to ensure that users are never put at risk from the bug. He negotiated a 90-day embargo before he went public, giving the company a long headway to ship a fix to users (Google’s in-house security researchers, Project Zero, apply the same 90-day warning to other vendors when they find bugs in products from companies such as Apple and Microsoft).

But the coder’s revelation has also highlighted a long-standing security problem with Android, which is the speed with which fixes for software errors filter down to end users. Google, which makes the Android operating system, has no power to push patches to the vast majority of Android phones that are produced by other companies such as HTC, LG or Samsung, and those companies frequently have to negotiate with mobile network operators to send patches to the end user.

On top of that, only the newest Android phones receive patches, which means that the Stagefright bug – which affects the Android operating system all the way back to 2010’s version 2.2 – may never be fixed for a huge number of phones still in use.

Veracode’s Wysopal said that “it will be very interesting to see how Google responds to this. They’ll have to drive the patch quickly and in a manner that impacts every affected device at the same time. Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch.

“This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device. We’re likely to see Google force down a tool that addresses the vulnerability for everyone.”

In a statement, Google said: “This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.

“As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.”

Latest Posts

Sports Direct’s Mike Ashley admits paying staff less than minimum wage

Mike Ashley has admitted that Sports Direct effectively paid staff less than the national minimum wage and is in talks about compensating warehouse employees...

iOS bug lets anyone crash your iPhone with a text message

A bug in Apple’s iOS means that anyone can crash an iPhone by simply sending it a certain string of characters in a message. The...

Apple previews new mobile software iOS 8 at WWDC 2014

Apple demonstrated iOS 8, its newest version of its operating system for iPhones and iPads, at its worldwide developers conference in San Francisco. The new...

Networking flaw opens ‘millions’ of iOS app users to data theft

Around 1,000 iOS apps are affected by a weakness in their mobile security which can make it easy for attackers to access encrypted data...

Don't Miss

London commercial market will be hit by Brexit, says property group

Uncertainty created by the vote to leave the EU will damage business confidence and hit London’s commercial property market, Great Portland Estates has warned. In...

Is city living bad for your health?

  Our planet is fast becoming an urban one. At the beginning of the 21st century, the majority of the world’s population still lived in...

Don’t treat students as customers when it comes to mental health

“Who are your customers, and how well have you served them?” The question, newly introduced into our annual performance review, knotted my stomach. As a...

Tackling global warming will improve health, save lives, and save money

A very recent study released in JAMA (Climate Change: Challenges and Opportunities for Global Health) provides a very thorough review showing how climate change...

Seven reasons to eat seaweed

So good, in fact, that seaweed might soon be an ingredient in functional foods - to make white bread, for example, higher in fibre....

Stay in touch

To be updated with all the latest news, offers and special announcements.