[guardian-dev] Android Stagefright vuln and Trust-based Messaging
Nathan of Guardian
nathan at guardianproject.info
Mon Jul 27 14:03:23 EDT 2015
This news is making the rounds:
http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/
The real problem is automatic processing of unauthenticed, untrusted
inbound MMS videos:
"it resides in "Stagefright," an Android code library that processes
several widely used media formats. The most serious exploit scenario is
the use of a specially modified text message using the multimedia
message (MMS) format. "
"Unlike spear-phishing, where the victim needs to open a PDF file or a
link sent by the attacker, this vulnerability can be triggered while you
sleep. "
I don't think using TextSecure can avoid this, in that inbound SMS
messages will still go into Messenger or Hangouts... or am I wrong? I am
still confused about TextSecure's deprecation of SMS support.
This is also a problem with WebView/Chrome/Chromium and Firefox, though
in the latter since ESR38 it is patched... Orfox is based on ESR38, so
yay!
"Interestingly, the Stagefright vulnerability also affects Firefox on
all platforms except Linux, and that includes the Firefox OS. Firefox
developers have patched the vulnerability in versions 38 and up."
This is definitely something to think about with our increasing support
for multimedia in ChatSecure... currently you have to accept to receive
a message from a contact, and of course, establish OTR with them, so
that raises the bar quite a bit for an attack like this. We should
really be careful about processing inbound media unless you trust+verify
the contact I think.
+n
More information about the guardian-dev
mailing list