Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware (bleepingcomputer.com) 108
An anonymous reader quotes Bleeping Computer:
Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges.
This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd.. This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."
Re: (Score:3)
Will the companies be fined? If not, they won't change anything.
In a better universe where ponies grow on trees the companies would get class action sued...
Also, no one would picnic under trees...
Re: (Score:2)
Also, no one would picnic under trees...
I'm quite averse enough to arboreal detritus to avoid this already, but yeah.
Re: (Score:2)
But on the actual topic: is it possible that said "uneregistered domains" in the binaries are there as a convenience for dns-spoof exploits? I.e. if they resolve, the phone software knows the mitm state is active?
That's not a bad end run for activation...
Re: (Score:2)
Re: Strange... (Score:5, Funny)
iPhone users experience a different sort of "backdooring". Now put your man bag down and taste my latte.
Re: (Score:2)
You can modify an iPhone all you want, you just void the warranty.
Apple isn't the first company nor will it be the last to void warranty for opening a device up and messing with it.
Poor people are destroying Apple (Score:1)
I haven't noticed this kind of problem with my iPhone 5S...
What, you can't afford a more recent iPhone?
Re: (Score:2)
What, you can't afford a more recent iPhone?
Wait until you find out that some of us are still using 5+ year old smart phones. Mine works(everywhere), does what it needs to, and I see no reason to upgrade. If I could have gotten away with a simple dumb cell phone I would have, but they sell them quick and usually only with limited stock numbers.
Re: (Score:2)
Re: (Score:3)
In a pure FOSS world... (Score:1)
... many eyes would better catch the most blatant attempts at such shenanigans.
Re: (Score:1)
The GP refers to the possibility that the compiler is compromised to insert evil instructions even through it's compiling good code. From Thompson's work [acm.org]:
"No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and
Re: (Score:1)
Of course there is. If the compiled output matches the binary release then you are fine. Otherwise you don't know.
Still, many Android phone manufacturers have deiced to lock down the binaries as hard as they can, but not all.
There are still a few Chinese brands where you are allowed to install whatever system you like without voiding the warranty.
They just don't give support on custom builds. If you want support you will have to load their official binaries back on the phone.
It's a bit sad that you have to
Re: (Score:3)
Right, ok like how all those eyes found the heart bleed bug in SSL?
Re: (Score:1)
Right, ok like how all those eyes found the heart bleed bug in SSL?
"most blatant attempts at shenanigans".
Bugs and extreme clever bits of TLA subversion both would still happen. Heart bleed would get found because as the herd security evolves, I think we would get to significant enough deployment of hard core full network analysis on each device (read: phone) and in enough cases outright pattern whitelisting that the paranoid could have even a bit of confidence against such things. Part of the "trust us we know whats best, don't look under the covers" pre-Snowden mentali
Duh! (Score:2)
Re:Selling my Android, getting an iPhone (Score:4, Informative)
Damn right. Why have a Chinese backdoor when you can have an American backdoor instead?
The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.
Re: (Score:1)
The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.
And the profits go to an Irish company.
...and there in a nutshell we have capitalism at work. Now stop bitching about it and get over it. The system is working as intended.
Re: (Score:2)
Funny, it explicitly says in listing "GIGABYTE - PC Components - - Legacy - GC-RAMDISK"
That's the iram. I own two. It is exactly both an HDD and software RAMDISK.
Who's the sockpuppet, here?
Re: (Score:2)
APK,
do you know what all those arguments you're having with other people have in common? You.
I did a quick search and it appears that more than 80% of what you post is a reply to other people where you call them liars and sockpuppet - and you frequently post in the wrong threads. That makes you a net negative for this community.
Why do you spend so much time and energy spamming the forum with your bitter, confused accusations? Are you one of those people who thrive on misery and anger?
You're not a victim, AP
Re: (Score:2)
Deep in the bowel of Fort Meade, some Deputy Director of the NSA is saying "God Damn those fucking Chinese, who told them to put an extra backdoor into those cheap-assed burner phone? We paid for exclusivity!"
The solution is obvious... (Score:5, Funny)
We just have to avoid all phones built in China.
Oh, wait...
Re: (Score:2)
Google Pixel and most of the HTC phones are made in Taiwan. Also Apple will soon begin to produce some of their phones in India.
I betcha the only iPhones Apple will be making in India are the ones for the Indian market. Much like making iPhones in Brazil because of their ridiculous import tariffs.
Another reason I love my Lumia (Score:1)
Re:Another reason I love my Lumia (Score:4, Interesting)
I still have my Nokia N900, real keyboard, battery lasts days, too old and obscure to be target platform.
Security through obscurity ???
Re: (Score:3)
Same here, my N900 still works great and I will keep using it until it dies, my carrier makes a change that means I cant use it anymore or I can somehow afford something better (which basically at this point means a Neo900)
Re: (Score:2)
Re: (Score:3)
My BLU Studio 5.0C not affected (Score:2)
I just checked for this binary, and it was not on my phone. I did have a binary file called debuggerd but it was not the same as debugs.
Re: (Score:1)
How did you check for the binary? From TFA: "The binary responsible for the firmware OTA update operations also includes code to hide its presence from the Android OS, along with two other binaries and their processes."
Re: (Score:2)
I have root, a USB Cable, and a Full Rom dump of my firmware stored on my Hard Drive. I just used adb. I su to root as well.
Why are security firms so full of shit? (Score:5, Informative)
What the hell did this have to do with anything... it forced me to hate reading the entire rest of the article. I mean it was like reading "It's a UNIX machine, I know this!" If this sentence has any meaning what-so-ever to the author other than to show off that he could identify linked libraries... well never mind... not worth writing a book on it here.
2) It's an oob updater
It's very likely that if the intent of this code was to be malicious, it would have been hidden better. From what I can see, it looks like they were trying to keep the software installed and operating even through shutting down most of android and bringing it back up.
By using a fixed process id, it makes it easier to identify numerically and by removing the code which appears to be clearly marked as debugging code from the process output, it might even be possible that the process will survive cycling through run levels. It's also clear that it should allow the external server to bring the phone back up.
3) Likely a development tool more than an updater.
It is very likely that the developer who was making the firmware base image made a series of tools that would allow pushing and testing a lot of changes remotely. It feels like a "poor man's version" of RSH on top of a REST API.
4) Six month timer?
In other words, it probably just means "go to sleep... I'm done". Indefinite is more appropriate for production code.
If they were really trying to hide something, do you think they would have made it so obvious?
This was just the case of a programmer dropping his/her image building and debugging code into the production image. He/she was probably also asked to add some possibility to update the firmware of the image remotely for tech support reasons. He/she probably just figured "I already have something".
At the end of the article I take this away
DANGER!!!! Some developer left highly insecure debugging code in the firmware used on a gazillion phones.
DANGER!!!!!!! There's some publicity loving series of security losers trying to make headlines and sound important trying to scare everyone when in reality, they no have their own backdoor to a gazillion phones and didn't even consider
Yes... instead of trying to make headlines and run a fund raiser, you didn't even need to actually tell us about it, you could have just simply pushed a patch that any phone connecting to one of those URLs would be patched.
Re:Why are security firms so full of shit? (Score:4, Insightful)
But you're missing the point, that if OTHER actors were to find these issues out ahead of time, 3 million + phones would be rootable by simply registering a couple of otherwise unclaimed domain names. That's not a "backdoor" as much as it is an open hole to the backyard...
Re: (Score:2)
More devices to join the IoT botnets and take down the interwebs. To anyone expecting to use their new game console on Christmas day this year: it would be wise to have a Plan B that works offline (such as sex or Monopoly).
Re: (Score:3)
Now that they have those domains AND can execute commands on those phones AND have even used them for information gathering on all those phones, why not push something on to the end of
budget phones? (Score:1)
Burner phones? (Score:1)
Re: (Score:2)
Have you checked you local grocery store? Many sell prepaid smartphones right alongside the refill cards, with prices as low as $10 (yes, for an actual Android touchscreen smartphone).
Heck we have Lifeline Smartphones (Score:2)
okay so they are simple back three versions things that can't do 80% of the things current phones can but if you are in the US i would bet that 80% of the PONFA folks have smart phones now.
ES File Explorer (Score:3)
I was warned here that ES File was probably phoning home to China, so I removed it and my devices actually work better now. Is there any analysis of precisely what ES File Explorer is doing?
Re: (Score:1)
ES File Explorer is made by Baidu, a company that is well know for malpractices and spying on its users.
Dirty COW (Score:2)
Sometimes I've got a feeling that Google actively encourages security vulnerabilities considering that this particular local ROOT vulnerability affects at least 99% of all existing Android devices and Google skipped it in its latest security update.
Welcome rootkits and unremovable trojans.
Re: (Score:2)
Google had already finalized the latest security update when Dirty COW was discovered. December's update will be their first chance to patch it.
Furthermore given Android is an open platform ANYONE can develop for it, and this isn't Google's code at fault here. This is just a case of getting what you pay for when you buy a low-end Android phone that was made without adequate code review or security testing.
Chinese Intelligence agency at work? (Score:1)
I wonder if this is the work of the Chinese intelligence agencies? That would almost certainly be everyone's explanation if it happened in a phone from a US company.
Making themselves look bad (Score:2)
My propossal to this problem is: To ban the brands indefinitely from the US and to permanently bar all executives at those companies from entering the US. This way, they learn their lesson... corporations stealilng from consumers is a crime that should not go unpunished. Phucking cheaters!!!