Google's Android Has a Fake-ID Problem
By Dune Lawrence July 29, 2014
     
Google’s Android operating system has a security flaw that could allow hackers to impersonate trusted applications and potentially hijack your phone or tablet, according to research released today.

The basic issue is the way in which Android checks—or rather, does not check—that certain applications are what they say they are, according to Bluebox Security, the company that identified the vulnerability. Hence the catchy name, “Fake ID.”

Verifying identity is one of the most fundamental issues online. Is someone logging into a bank account the owner of that account? Is an application what it claims to be? San Francisco-based Bluebox helps companies secure their data on mobile devices, and its staff members work to research and understand the architecture of the mobile operating systems that Bluebox builds onto, says Jeff Forristal, chief technology officer.

Each Android application has its own digital signature—an ID card, in essence. Adobe Systems (ADBE), for example, has a specific signature on Android, and all programs from Adobe have an ID that’s based on that signature. Bluebox discovered that when an application flashes an Adobe ID, for example, Android does not check back with Adobe that it’s an authentic one. That means that a malicious actor could create malware based on Adobe’s signature and infect your system. The problem isn’t specific to Adobe; a hacker could create a malicious application that impersonates Google Wallet and then access payment and financial data. The same issue applies to administrative software present on some devices, allowing full control of the entire system.

“We basically discovered a way to create fake ID cards,” says Forristal. “There are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?”

The flaw affects Android systems from 2.1 (released in January 2010) on up, though the latest version, 4.4 or KitKat, has closed the hole as it relates to Adobe, according to Bluebox. To give an idea of scale: From 2012 to 2013, about 1.4 billion new devices shipped with the Android operating system, according to Gartner. Gartner (IT) estimates that 1.17 billion additional Android devices will ship this year.

The revelation of this particular vulnerability illustrates how security researchers and Google handle the discovery of flaws in software or programs. It also shows the complexity of handling a vulnerability affecting Android because fixes require adjustments from not only Google but also from various app developers and device makers.

Bluebox concluded its research in late March and submitted the bug to Google by March 31, according to Forristal. The Android security team developed a fix in April and provided the patch to vendors, who had 90 days to implement it before Bluebox publicized its findings, he says. Bluebox has tested about 40 Android-based devices out of more than 6,300 in the market. So far the company knows of only one vendor that has put a patch out, he adds.

Google did not respond to an e-mailed request for comment.

Bluebox plans to discuss its findings at the Black Hat convention in Las Vegas next week. Expect a lot more troubling security news before then. Black Hat tends to bring it out.


http://www.businessweek.com/articles/2014-07-29/googles-android-has-a-fake-id-problem

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more