Certifi-gate: Another Huge Android Vulnerability

An anonymous reader writes: Security research firm Check Point has released information about a new vulnerability called Certifi-gate, which they say compromises the security of hundreds of millions of Android devices. The flaw exists within the mobile Remote Support Tools, which are intended to enable screen sharing and simulated taps for tech support purposes. Unfortunately, the way mRSTs validate the remote operator is easy to exploit. Because the software is designed to allow both monitoring of a device's screen and simulated input, the potential for misuse is quite serious. The flaw was disclosed to manufacturers a month ago. HTC, for one, has confirmed it is already starting to roll out a fix.

Enough

[nmb3000]

Certifi-gate

Okay, y'all have had your fun. Enough of this bullshit.

Re:

[Adriax]

Still waiting for "NAND-Gate", where some big flash memory manufacture is caught using another companies designs or something.

Re:

[plover]

Certifi-gate III: Oh hell no!

Re:

[rossdee]

agreed
Watergate was a hotel, thats no reason to have the -gate suffix to mean a scandal

And while we are at it, Marathon was a place as well, so theres no need for the charitable -athons

Re:Enough

[GNious]

yeah, with all the -gate names, it's as if they're having a gate-athon.

Re:

[BasilBrush]

Reason? Language isn't defined by reason. It's evolution. If a word form is popular enough to survive, then it's part of the language. Even if it's entirely unreasonable.

Re:

[znrt]

agreed
Watergate was a hotel, thats no reason to have the -gate suffix to mean a scandal

agreed, 'scandalon' means a stumbling block, that's no reason to use it to refer to human moral misery.

Re:

[DustPuppySnr]

https://www.youtube.com/watch?... [youtube.com]

Re:

[antdude]

I'm waiting for /.gate. ;)

Re:

[wardrich86]

Let's work to end this crap. We'll call our movement Gate-gate.

Confused

[koan]

Why is it HTC's responsibility to patch it? Why not a global patch from Android.

In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen.
Why aren't software corps held to a similar standard if security researchers have informed them of the bug.

Re:Confused

[Joe Gillian]

It's not HTC's responsibility to patch all devices. Each manufacturer has a different hardware configuration and usually runs their own "flavor" of Android - HTC's version of Android is different from Samsung's, which is different from Google's. It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

HTC is merely saying "We're stepping up as soon as possible to patch devices that originated from us, starting with the HTC One M9."

Re:

[93 Escort Wagon]

There are multiple manufacturers of Windows phones - does Microsoft not push patches directly?

Re:

[qubezz]

Yes, Microsoft does update the OS directly without carrier interference when you opt to get insider updates or simply root your phone's registry to masquerade as another device on another carrier. The firmware component still goes through considerable lag and has greater delays, but it is possible to get a Nokia phone and flash it with a de-branded ROM when available for your model and be completely carrier bloat free.

Re:

[93 Escort Wagon]

That's what I thought. So why does everyone give Google a pass on this? They're the ones who designed the system.

Re:

[BitZtream]

yet most people will associate Android as the problem rather than the custom builds.

It is an 'Android problem'. Android's wild west landscape of everyone hacking it up however they want is exactly why its a mess.

iPhone's get updates because Apple told the carriers THEY were providing updates and the Carrier's have to keep their grub hands the fuck out of it or they don't get the iPhone.

Google said 'yea, do whatever you want, we don't care just make sure you snare people into using our spyware' and the result is every carrier installs a bunch of buggy crap, every one behaves in new unexpec

Re:

[swillden]

It's not simply a case of Google saying "fix it" and shipping patches to every single Android device out there. Google doing that would be like the Debian group trying to ship Debian patches to Ubuntu - it wouldn't work.

Especially since in this case Google had nothing whatsoever to do with the problem. This one is entirely a consequence of OEMs adding insecure extensions to the base platform Google provides. Insecure extensions with root privileges, basically.

Re:

[account_deleted]

Comment removed based on user account deletion

That is confusing, who is "Android"?

[SuperKendall]

Why is it HTC's responsibility to patch it? Why not a global patch from Android.

Who is "Android"? Do you mean Google?

If so, why should they be responsible - after all, HTC is the one who took a build of Android and customized it for your phone.

In fact between HTC and Google, really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

The problem is of course, that none of the phone makers are serious about security at all (they are making noises, but I'll bet it's just to placate the howling internet). So not only do they not patch Android themselves, they don't want to do the work to even fold in the fixes Google makes.

What would be refreshing is to see a handset maker that really took ownership of the whole system. Sure they would build on Android to start, but they could do so much more - they could have their own security QA team looking for problems, fixing what they found and responding to security vulnerabilities even faster than Google.

They could contribute that work back to Google even, safe in the knowledge it wouldn't even help competitors since they are unable to incorperate Android patches.

Samsung *could* be that company. It's a mystery to me why they are not... they also are making noises about being serious about security but there has been so much hot air in the past around Google and phone makers cooperating "for real" that I refuse to take any statement at face value.

Re:

[Zero__Kelvin]

"Who is "Android"? Do you mean Google?"

Clearly, you'd be confused even without the confusing statement. He means the Open Handset Alliance [openhandsetalliance.com]. Google is in charge of Google Apps. They are not the controlling and directing interest behind Android (though Android certainly started at Google)

"What would be stupid, and counter to the whole point of an open software ecosystem is to see a handset maker that really took ownership of the whole system. "

FTFY. To use a little word play with a popular a saying: "The

Re:

[viperidaenz]

Except Google didn't start Android, they bought it...

Re:That is confusing, who is "Android"?

[swillden]

really HTC *should* be responsible since they are the ones that customized it in a way that you could not just take straight patches from Google.

It's even more than that, since the security vulnerability in this case was added by HTC. There are no remote support tools in the base Android platform, and therefore no insecure remote support tools.

No Nexus devices have this problem.

Re:

[qubezz]

There are many different backdoors in Android phones, I deodexed my rooted phone and killed off many carrier and vendor (and law enforcement) malware and remoting apks (the kind otherwise hidden and permission-locked) that operate over data, sms and phone connections, but it's almost impossible to know what still is in there in the baseband and core modules unless you have your own cell tower and fuzz everything they can send you. I consider my smartphone permanently rooted, easy to hack, and act accordingl

Re:

[BitZtream]

If so, why should they be responsible - after all, HTC is the one who took a build of Android and customized it for your phone.

Well in this SPECIFIC case, its HTC software, not Android and not Google software that is insecure, so it truly isn't Googles fault.

However, this is a rare case where its HTC/Samsung/Whoever rather than Google. Google on the other hand in most cases is the culprit, and you're not even aware of who's fault it actually is anyway. So lets continue this under the original premise that this is Google's flaw.

Google bought Android and sold it to these manufactures as something they could modify and customize ...

Re:

[drinkypoo]

Why is it HTC's responsibility to patch it? Why not a global patch from Android.

That's an easy one. It's not possible to make a global patch to fix many kinds of vulnerabilities in Android, because there is too much variation between devices. In the case of the libstagefright vuln, libstagefright is custom to GPUs. In the case of this hole, FTFA:

Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network providerâ(TM)s approved software build for a device. This creates significant difficulty in the patching proce

Re:

[Zero__Kelvin]

"Why is it HTC's responsibility to patch it? Why not a global patch from Android."

Oh wait! I know this one! Because there is no company or organization called "Android" behind the Android platform!

"In addition if a car manufacturer knows there is a serious issue with a car and doesn't recall, they are liable for the accidents that happen. Why aren't software corps held to a similar standard if security researchers have informed them of the bug."

Oh wait! I know this one too! Because people don't die when

Re: Confused

[koan]

I bought it on eBay?

U mad bro...

Re:

[Zero__Kelvin]

"I bought it on eBay? ... U mad bro..."

I actually believe that given your obvious lack of knowledge of even the most basic high technology combined with your juvenile use of the letter U as a substitute for an actual word ... and no, ignorant douchebags who use the non-phrase "U mad bro" don't make me mad; they give me a reason to laugh. I am curious though ... why would I be mad that you are an idiot?

Re:

[WoOS]

Because it is a vulnerability NOT in Android but in 3rd party remote control software installed by HTC. Please RTFA.

Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network provider’s approved software build for a device.

For your car analogy: If "TurboTuning Inc." broke your Chevy while trying to make it able to go 200 mph, would you sue Chevrolet to fix it? Well, obviously in the U.S. ....

I wish

[bobstreo]

I wish the phone I use was running something newer than 2.3.4.

HTC updated it ONCE.

It still works fine, but I probably need to get a new phone.

Re:

[Noah Haders]

one long word: Cyanogemod

quoting the comment above [slashdot.org]: oh hell no!

Re:

[viperidaenz]

+n

Comment removed

[account_deleted]

Comment removed based on user account deletion

Android update weakness

[mcrbids]

I have a pretty decent phone. A flagship phone that's now 3 years old, the Moto Razr Maxx HD [engadget.com]. It's a bit long in the tooth, but it still has a sharp, bright screen, decent battery life, and while it's not lightning fast, it does everything I need smoothly and comfortably.

But Moto doesn't sell it anymore. I'm pretty sure it's EOL anymore, which probably makes me SOL.

But it keeps chugging on, and as a consumer, shorting of reading tech sites like /., I would never know that there's any problem at all. Meanwhile, my security keys are being lifted, my email passwords are stolen, and somebody's posting Donkey pictures on my Facebook account and I have no idea how or why.

But, even if I *weren't* SOL, there's the issue that, while my Linux laptop gets updated daily, and my Windows laptop gets updated weekly, my phone gets updated (perhaps) a few times per year.

See the problem, yet? We're seeing just the bare beginning.

The bright boys at Google need to figure out a way to update Android and bypass the carriers, or at least, provide a side-channel way to roll out security updates, or their whole ecosystem will collapse in an orgy of viruses and malware.

For my next phone, I just might make sure I can run Cyanogenmod on it, if for no other reason than the hope of getting security updates in a reasonable timeframe. [cyanogenmod.org]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[viperidaenz]

Looks like it's going to be monthly for Android
http://www.wired.com/2015/08/g... [wired.com]

Re:

[tlhIngan]

Looks like it's going to be monthly for Android

For what phones?

I mean, remember, Samsung released 2-3 phones a week (and a tablet a week) - around 120-odd phones and 54 different tablets in 2014 alone.

Are you telling me that every month Samsung is going to issue the better part of 200 software updates? Or more likely, they're just going to update maybe 5 of those phones monthly and the rest are screwed?

LG isn't quite so bad, but they're still a large number of their phones out there.

Re:Android update weakness

[gTsiros]

You think you have it bad? My barely two year old xperia z ultra, another "flagship", has already been pretty much abandoned, after releasing a half-assed update to lollipop with many bugs introduced which make you question if they even *have* a QA department (tapping the alarm icon in the status bar, for example, fails to open the alarm app... as it does in kk), I assume to please the masses.

Their "user forums" are filled with idiots who either can't use their phones or poor sods who face actual problems but more often than not are asked to do a factory reset.

Android had such potential, but google knly needs it to be popular for ad views thus it has become a shit operating system, development cycle and "ecosystem" in general.

Re:

[gTsiros]

nevermind, they are rolling out 5.1 for the z ultra these days

maybe there is hope for sony after all

Re:

[phantomfive]

Unix? I've tried it a few times. Twice have the updates from the official store

Official store? There is no official store for Unix.

screwed the video drivers requiring some arcane knowledge to fix.

Arcane knowledge? If it screwed the video drivers, that means you probably were using proprietary drivers, and the 'arcane knowledge' was "download the driver from NVidia and run the installer."

Re:

[AmiMoJo]

Fortunately you don't need to worry about this one. It only works if you first install a malicious app, and you can bet that Google can easily scan for and block such apps from Play. In fact even if you install from outside the play Play store, Google will scan the binary anyway dit known exploits.

You phone is fine, no need to panic. The story vastly exaggerates the danger in order to sell some crappy anti virus software you don't need.

More line an advertisement than a factual story!

[Dr_Marvin_Monroe]

This should prob. have been an interstitial ad instead of a story!
What exactly is going on? Is it a problem with the installed certificates? Weakness in the tools? Which ones are effective and which are weak? How can I determine if my Android has this crapware installed?

How did the moderators decide to let this story through?

The links provide nothing more than a security scanner! There are no specifics other than 'Google is working with OEMs...'. So what? How about providing some information I can use....not ads that are designed to look like news stories.

Android support durations

[Ronin441]

As always with Android support durations: Android Support vs iOS Support [fidlee.com] which is in turn an update of Android Orphans: Visualizing a Sad History of Support [theunderstatement.com]

It's not that iOS is good -- compare it to how long Microsoft support a Windows version. It's that Android OEMs are shocking.