Monday, July 27, 2015

Major Android Security Flaw Allows Hackers to Take Control Without You Even Knowing

As reported today by National Public Radio, all a hacker needs is your phone number, and they have complete control of your device.  What the article doesn't make clear, is whether this only applies to phones, or tablets as well (assuming tablets can get text messages).

The way the exploit works takes advantage of the ability to secure videos using what is called a Coder/Decoder (CODEC) routine.  This is a bit of computer software that provides a way to encrypt and decrypt the video, so that video producers can secure their own content.  However, a CODEC is simply a bit of software that frankly can do anything.  Because the video the thief texts you specifies the CODEC it needs, as the video is received by the device, the CODEC is downloaded and installed as well - this all without any security checks, and without asking the user. The fact that Android allows any CODEC, gives it full access to the entire device environment, and does this in the background without your authorization or even your interaction, I find to be absolutely unacceptable.
I've said it before, and again, and again, and again, and again...Android is an inherently insecure mobile OS, because security is an afterthought, and wasn't built into it by design, at its core, like it was in iOS.  If that isn't bad enough, to make matters much worse, the Android ecosphere is a mishmash of hardware manufacturers who have their own fork of Android that deviates from the main Google trunk.  This means it isn't up to Google to get the update out for each device, it is up to the manufacturer.  You can probably trust companies like Samsung, HTC, and LG.  Probably.  But how much, and how well will they do?  And, if you have some other manufacturer, I can't even begin to say.

If that isn't bad enough, it has been proven that Android users typically go around with 2 year old OS (or older), and never download updates.  That's right, you can have a brand new Android device, but the manufacturer forked Android 2 years ago (at the beginning of developing that hardware), and so the security you have is already 2 years old, out of the box.  Another NPR article in the past week entitled "Trying To Keep Your Data Safe? You're Probably Doing It Wrong" states that tech experts have completely different priorities on what it takes to keep you safe from hackers, than the average non-expert.  I completely agree with this article on every level - from the fact that the priorities are different, to the fact that tech experts put number one priority on system updates (from the OS manufacturer) as the primary bastion against hacking.  Nothing is even remotely as important as downloading the latest OS updates - whether for phone, computer, tablet, or car.  (If you followed that last link, you found that Chrysler vehicles from 2012 onward with UConnect have an Internet IP address, that hackers can use to gain control of the vehicle - and do anything they want, including shut the engine off.)
In this day and age, I find it ABSOLUTELY INEXCUSABLE for any product company, especially Google, to release a product that is so wide open to hacking, it fails to incorporate the most basic and accepted computing precautions like firewalls, code signing security certificates, forcing communications over SSL, and the like.  All of which, and more, both iOS and OS X (Apple's mobile and desktop operating systems) take into account, and have since the beginning, as they were designed into their core from the beginning.  So if you want to know why I support Apple so much, for security alone, that is why.  I find it also a case of criminal negligence for a company like Chrysler to produce a motor vehicle (the single most deadly type of machine in mass operation today), and make it vulnerable to such attacks.  This when the computer industry has plenty of security experts, and Science Fiction films have provided plenty of scenarios in which a more connected life can become more vulnerable to hackers.
So, now we know about the UConnect vulnerability - what about all the other vulnerabilities that we don't yet know about?  Here's a scenario that is not farfetched at all.  Imagine that you are driving to the Tigers' game.  On the way home, you stop to get gas, go out to dinner, or some other activity in Detroit.  Unbeknownst to you, some guys with a specialized Internet scanner detect your car, push a button - and malware is uploaded to your vehicle, and boom - the engine quits as you pull out onto the street.  You are mobbed by people who mug you, strip your vehicle, maybe even kill you because you hesitated to give them your wallet.  Science Fiction?  Maybe, but I think it's not at all farfetched, and I wouldn't put it past the people designing the computer systems in your vehicle to neglect basic security like I say above.

Further, recent news stories indicate Apple has hired several thousand employees with Automotive experience, on a top secret project.  Rumors abound, but most likely is they are either working on aftermarket automotive systems, or a new electric vehicle to enter into the automotive market.  I cannot think of a better company to make cars incorporating computer technology than Apple.  Who best to take into account computer security, than one of the companies who helped create computers in the first place?  And who best to lock that security to your digital world of smart phones, tablets, and notebooks?  And who best to make it work seamlessly?

If this scares you, it should - you have a pulse.  Do your research, and take action consistent with your findings.  If it doesn't scare you, then go head and tempt fate.  But when it comes crashing down on your head, and you have to jump through hoops because your credit is shot, your bank accounts raped, passwords stolen, and your entire real life ruined by the digital access to it - you only have yourself to blame for your choices.
Now, here's what scares me about the whole thing.  People go around, buying devices and services, without researching or understanding this whole world they are getting into.  But believe me, thieves sure do understand this world, and how to exploit its vulnerabilities.  And legislators are so far behind, they still think they can pass a law that will fix security issues.  The only way to fix the issues, is at the OS and software developer level.  The OS manufacturer should have security built in as a central tenet of the architecture, and their development kits should make it easier for app developers to make secure apps, than to make insecure apps.  The fact that Android is the most prevalent mobile OS, and Windows the most prevalent desktop OS, means that people just don't get it.  But the growth of Apple, means they can learn.  Realize that you (even I) know very little about security in the online world, and that it can impact your real world in many more ways than just money or inconvenience.  You can actually be killed by a security hack.

(As an aside, if you are an Apple developer, iOS has done simple things like provide access to advanced technology through Kits - or libraries that give developers functions to call that makes it easy to write apps to do advanced things.  But the Kits are secure, and allow the device user to control which apps have access to which functions - the camera, microphone, photos, Internet, etc.  And, by default, apps cannot connect to insecure Internet connections, they must use encrypted SSL connections.  If the app needs to do an insecure connection, the developer has to "jump through hoops" by adding exceptions to the app for specific web addresses, so that only those addresses are allowed to be communicated with over insecure, non-SSL sockets.)

What can Congress do about this?  Nothing.  As you are well aware, Congress is a set of selfish, greedy lawmakers who have lost all touch with their constituency, and are at the behest, beck and call of lobbyists.  If they do eventually get around to doing anything, all they can do is pass a bill - and nothing they could do would have an impact, as it would be too little, too late.  This technology is out now (has been for years), and the vulnerabilities exist now.  It's up to you to safeguard you and your family.

No comments:

Post a Comment