Security Week 32: Android Stagefright, New Car Riders, Do Not Track 2.0

Some 23 years ago, Microsoft released the Windows 3.1 operating system , Apple showed its first iPhone a PDA, and Linus Torvalds released Linux under GNU. Yevgeny Kaspersky published a book with a detailed description of almost all viruses known at that time and methods for their treatment, including using an antivirus program, then known as –V. At that time, the landscape of threats was such that it was possible to describe in detail all the viruses in a fairly small book, and even after a couple of years it remained very relevant.

These were good times. Now there are 325,000 of such malicious programs every day, and the industry almost every week is put before a new proof of some systematic failure in the field of security on all fronts - from cars and skateboards to nuclear power plants. This is both bad and good at the same time: the more people think about the security of data, business and even their own lives, which depend a lot on computers, the sooner everything will change for the better.

In the meantime, " sit back and relax, " watching the development of events. From this point on every Friday on the Laboratories blog is a compilation of three truly important news for the week with extensive commentary and Trololo . News carefully selected by the editors of the news site Threatpost .

Stagefright: a hole in Android that hasn't changed anything yet
News Google response . CERT Advisory .
')
"The hole is nowhere worse," writes Wired, and, of course, mistaken - it could be worse. The main difference of this vulnerability from, for example, Heartbleed and Shellshock is that it did not have to come up with a cool name, Stagefright is the name of the built-in Anrdoid engine for playing audio and video, which is part of the Android Open Source Project. Technically, this is a whole set of vulnerabilities (Zimperium’s experts have unearthed the problem and reserved as many as 7 IDs in the CVE database), mainly related to buffer overflow errors.


Right here.

The task of the engine is to play various sounds and videos, moreover, as correctly noted in ZDNet, it is designed so that “your phone is ready to show the video before you yourself want it.” Add to this the fact that for some unknown reason, all these tasks, in some cases, are performed with the level of access "God." However, the reasons are clear - it was easier to code. In any case, it was not so difficult to jump out of Android’s “sandbox” aimed precisely at protecting against such tricks.

The result is an adorable proof of concept: we send an MMS to the phone, well, that's all. No, it is not necessary to open a “charged” MMS: the phone will break itself, because it is made so for the convenience of the user. Everything is bad? Not really. Firstly, in versions of Android from 4.1 and above, the Address Space Layout Randomization technology interferes with the bacchanal - "partially removes the problem." Second, following the rules for responsible disclosure of information about attacks, Zimperium did not publish the exploit code. However, thanks to the published patches , everything is clear .

Interesting is the reaction of Google. The summary of the post in the official Android blog devoted to the issue is approximately the following: “We are fine. Our sandbox is generally very cool. Only fifteen hundredths of a percent of all Android devices have a malicious application installed (there are a lot of stars, small fonts and reservations). But for everything to be chocolate in general, Nexus devices will receive monthly security updates from now on. ” This is damn fine, but what about all the other smartphones and tablets? In general, the Google initiative doesn’t help to solve the problem of fragmentation of Android devices, with eternal delays in updating new devices to the latest OS version, and chronic non-updating of old devices. Fortunately, the desire to update smartphones and tablets more often, at least when it comes to security, also announced HTC, Samsung , Sony, LG and a couple more manufacturers. The truth is that everything is already a little foggy: it’s still clear that some devices will once receive an update. May be.

If we behave well. But generally it is a good sign. Sooner or later, Android can get an update mechanism similar to Microsoft's Patch Tuesday method. Indeed, just as recently as a year ago, the same Adrian Ludwig, chief of Google’s Android security, generally said that everything is fine with security, and you just need to finish Google Play a little. That is, Stagefright may lead to really useful changes. Well, we all hope and believe that there will be changes. What else remains to do?

We continue to break cars
News Previous news .

A landmark event happened last week: the first critical patch for the car was released. More precisely, for the entertainment system Uconnect of Fiat Chrysler car group, which (a) made it possible to control even non-entertainment functions (or rather, send the car to a ditch) and (b) received incoming connections via cellular communication. In this regard, I cannot help but quote this correct cry of the soul:


Why does the car even allow you to connect to yourself outside? Why can a tape recorder control ignition? Why should some dude with an iPhone reveal this?

Yep But it was last week. On this found not so epic hole, but also interesting. Just imagine that you are in sunny Spain. Or in Bulgaria. Or in Greece, it does not matter. You rented a car at the airport, arrived at the beach, and went swimming. While you are splashing, someone can steal the keys to the car. In a normal situation, this would be of little help to a thief: go find a car among hundreds of others. But since the car is rented, on your keys there is a tag with a model and a state number.

In general, swim in the pool near the hotel. Independent researcher Sami Kamkar discovered that such a scenario is possible if you use the OnStar RemoteLink mobile application that allows you to find a location and even remotely open the doors of GM cars. Kamkar created a miracle device that allows you to intercept requests from a mobile app to a car, just by being close to the owner.



In this story, in general, not so bad: the researcher claims that the problem is in the application, and not in the cars themselves, and a simple update will close the vulnerability. The important point here is this. Many are familiar with the multimedia systems of modern cars: they are almost like Android or iOS, there is also a touchscreen, sometimes the Internet and all sorts of multimedia things, but all this is a thousand times worse: slow, buggy and depressing. Once again I will quote Wired: in comparison with Android, multimedia systems from the automakers themselves are “ complete sludge ”. Why? It's just that all this entertainment and navigation things are developing too rapidly, by the standards of a fairly conservative auto industry, it does not keep up.

And for the safety of car factories do not ripen too. The bug in Uconnect, from our point of view, is a complete facepalm. And besides, when you do something new, you are the last thing to think about security, because coding is “dangerous” —it is cheap and easy. From here also remote attacks to a starter with an oil pump turn out. Automobiles are still saved by the relative isolation of their technology from the computer world, but over time it will become their most important vulnerability: they will be hacked where nobody expected, and then there will simply be no protection, do what you want.

How to stop watching and enjoy life
News An article on the EFF website .

The Do Not Track mechanism is supported by all major browsers, but unfortunately it does not work. And the idea was not bad: if you, the user, do not want to be followed by banner and social networks, all Internet researchers and counters, Google and others, tick the settings and enjoy the newfound privacy.



Yeah of course. For ten years this idea has been promoted, and things are still there. Keep watching advertisements for products you already bought from the store where you bought them. And the whole problem is that the industry cannot really agree on the practice of using Do Not Track and the respect of users who do not want to be followed. EFF sees the solution in an updated standard, in which the requirements for websites that respect the principle “do not follow me” are tightened. For example, if you are announcing that you are following the principles of Do Not Track, you should not put social network buttons on the site that violate these principles. If you have a technical need to track user actions (for making a purchase, authorization, and the like) - ask for permission.

New requirements, however, remain voluntary, without any tools for monitoring compliance with the rules. The Electronic Frontier Foundation hopes that (in some countries) voluntary commitment and subsequent violation may be the reason for a lawsuit. Or maybe not. The announcement of the new politician honestly says: it can help with targeted advertising, but for real anonymous web surfing, you still need to use either VPN or TOR.



This problem is aggravated by the fact that most people, in general, without a difference, are watching them or not. The rules of Do Not Track are discussed by a rather narrow group of activists, and outside this group very few people will take care to put one more tick in the browser settings. And in vain. It’s not even the case that big evil corporations want to follow you en masse. New technologies, such as Cortana voice assistant at Microsoft, or Google Now, or Apple's Siri, to be really useful and convenient, collect and process a ton of information about the device owner - because it is necessary . As a result, paranoids are now strictly forbidden to read the license agreement Windows 10, where all these nuances, of course, spelled out in harsh legal language. The fact that our devices need to know a lot about us, in order for us to be comfortable is the normal state of affairs. But the more information companies collect about us, the more important is the work of that small group of people who want, without fanaticism (!), To provide for the possibility of restrictions on collecting data to the minimum necessary.

What else happened:
Broke BIOS poppies. Not the first time , however.

Some people send a coder instead of upgrading to Windows 10.

In China, they discovered a VPN service that, in addition to its servers, also uses hacked computers to reduce the cost of criminal activity.

Antiquities
Family "Protect"
Dangerous resident viruses, standardly infect COM and EXE files when they are launched for execution. Intercept int 21h and int 1Ch or int 33h depending on the version. They contain the text: “File protection”. Protect-1157 removes file attributes and blocks mouse operation. "Protect-1355" appears on EGA and VGA monitors with a fine and very nasty screen shake.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 44.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.