Some professor at NC State University was tooling around with a Nexus S which runs Gingerbread, his was running the stock unrooted flavor specifically, and found a “data stealing vulnerability of the same nature” as an Android 2.2 vulnerability which was apparently not plugged thoroughly enough in the 2.3 patch. Sigh.
Professor Xuxian Jiang has a proof of concept, here’s what he says we’re dealing with:
Based on the experiments with one of our Nexus S phones, we have leveraged the vulnerability to
- Obtain the list of applications that are currently installed in the phone;
- Upload the applications (located in /system and /sdcard partitions) to a remote server;
- Read and upload the contents of any file (including photos, saved voicemails…) stored on the phone’s /sdcard. Note that to do that, the exact pathname/filename needs to be known.
Here’s where it gets less bad:
I notified the Google Android Security Team on 01/26/2011 and was pleased/impressed to receive their response within 10 minutes. After that, we exchanged emails, including a critical piece of exploit code, to better understand the nature of the vulnerability. From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay. Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the /sdcard and a limited number of others).
The vulnerability is now confirmed and I was told that an ultimate fix will be included no later than the next major release of Android. We are not aware of any active exploitation of this issue.
Professor Jiang, young and bright, is unaware of any exploits in the wild, however he suggests running another browser like Firefox could mitigate the vulnerability. Also suggests unmounting the SD while noting that no one’s going to want to do that (yeah right Prof, homie don’t play that).
Finally, I’d like to thank Nick from the Android Security Team for verifying the presence of this vulnerability and keeping me informed as this fix progresses.
Right on Nick Kralevich. In addition to patching these things obviously, good to keep an apparent warm pipeline of such information coming in from the white hatters. And Professor, thanks for keeping a lid on the details while trusting that Google’s on it. I started by saying Not again, now I’m thinking keep in coming Professor. +1 to this Southern state public organization for coming up with this degree of sophistication, not bad.
I’m getting the impression from the lack of serious or even somewhat serious outbreaks that the hole diggers have more good guy talent, numbers and determination than the other side, a culture Google may have cultivated with their reward plan. And over time as exploits are discovered and subsequently patched, well, eventually we’ll have ourselves some military grade shit, nes pas?