Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide.
What’s even worse: Most of those affected Android devices will probably never be patched.
Dubbed “Quadrooter,” the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device.
The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones.That’s a very big number.
The vulnerabilities have been disclosed by a team of Check Point researchers at the DEF CON 24 security conference in Las Vegas.
Critical Quadrooter Vulnerabilities:
The four security vulnerabilities are:
CVE-2016-2503 discovered in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
CVE-2016-2504 found in Qualcomm GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.
Qualcomm is the world’s leading designer of LTE (Long Term Evolution) chipsets with a 65% share of the LTE modem baseband market. If any one of the four flaws is exploited, an attacker can trigger privilege escalations for gaining root access to an affected device.
All an attacker needs is to write a piece of malware and send it to the victim. When installed, the malware offers the attacker privilege escalation on the affected devices.
According to the researchers, the attack can also be conducted through a malicious app. An attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks.
“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” Check Point researchers write in a blog post.
If any of the four vulnerabilities are successfully exploited, an attacker could gain root access to an affected device, giving the attacker full access to the device, including its data, camera and microphone.
List of Affected Devices (Popular)
More than 900 Million Android devices that ship with Qualcomm chip are vulnerable to the flaws.
Here’s the list of some of the popular affected devices, though there are far more devices that are impacted by one or more Quadrooter vulnerabilities.
1.Samsung Galaxy S7 and Samsung S7 Edge
2.Sony Xperia Z Ultra
3.OnePlus One, OnePlus 2 and OnePlus 3
4.Google Nexus 5X, Nexus 6 and Nexus 6P
5.Blackphone 1 and Blackphone 2
6.HTC One, HTC M9 and HTC 10
7.LG G4, LG G5, and LG V10
8.New Moto X by Motorola
How to Check if Your Device is Vulnerable?
You can check if your smartphone or tablet is vulnerable to Quadrooter attack using Check Point’s free app.
Since the vulnerable software drivers, which control communication between Qualcomm chipset components, come pre-installed on these devices at the time of manufacturing, they can only be fixed by installing a patch from the devices’ distributors or carriers after receiving fixed driver packs from Qualcomm.
“This situation highlights the inherent risks in the Android security model,” the researchers say. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”
Three of the four vulnerabilities have already been fixed in Google’s latest set of monthly security updates, and a patch for the remaining flaw will be rolled out in the upcoming September update.
Since Qualcomm has already released the code, the phone manufacturers could be able to issue patches to the individual devices as soon as possible.
Android Nexus devices are already patched via the over-the-air updates, but other smartphone models will need to wait until their lazy phone manufacturers integrate the fixes into their own custom Android ROMs.
Google Station Will Bring Public Wi-Fi to School, Malls, and Other Places in India
Google, a unit of Alphabet Inc , said on Tuesday it launched Google Station in India, a service that aims to deepen its reach across the country, as the search giant seeks to bring more people on to its Google platform.
Under the service, Google will roll-out Wi-Fi hot spots in places frequented by a large number of people, such as malls and transit stations, and in social hangout locations such as cafes and universities, the company said on Tuesday.
The goal is to give people many hot spots within a few minutes walk from their home, university, or workplace, unified by a simple login process that works across all of them,” Caesar Sengupta, Vice-President, Next Billion Users at Google was quoted as saying in the statement.
Google currently offers free Wi-Fi access at 53 railway stations across India and plans to scale up the service to 100 by year-end, the company said.
After the iPhone encryption battle between Apple and the FBI, Apple was inspired to work toward making an un hackable future iPhones by implementing stronger security measures even the company can’t hack.
Even at that point the company hired one of the key developers of Signal — one of the world’s most secure, encrypted messaging apps — its core security team to achieve this goal.
But it seems like Apple has taken something of a backward step.
Apple deliberately weakens Backup Encryption For iOS 10
With the latest update of its iPhone operating system, it seems the company might have made a big blunder that directly affects its users’ security and privacy.
Apple has downgraded the hashing algorithm for iOS 10 from “PBKDF2 SHA-1 with 10,000 iterations”
to “plain SHA256 with a single iteration,”
potentially allowing attackers to brute-force the password via a standard desktop computer processor.
PBKDF2 stands for Password-Based Key Derivation Function, is a key stretching algorithm which uses a SHA-1 hash with thousands of password iterations, which makes password cracking quite difficult.
In iOS 9 and prior versions back to iOS 4, PBKDF2 function generates the final crypto key using a pseudorandom function (PRF) 10,000 times (password iterations), which dramatically increases authentication process time and makes dictionary or brute-force attacks less effective.
Now Bruteforce 2,500 times Faster than earlier iOS Versions
Moscow-based Russian firm ElcomSoft, who discovered this weakness that is centered around local password-protected iTunes backups, pointed out that Apple has betrayed its users by deliberately downgrading its 6 years old effective encryption to SHA256 with just one iteration.
Therefore, a hacker only requires to try a single password once and brute force to find a match and crack the account login, making the entire process substantially less time consuming.
“We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older,” Oleg Afonin from Elcomsoft wrote in a blog post today.
Yes, that’s right. With iOS 10, it’s possible for an attacker to brute force the password for a user’s local backup 2,500 faster than was possible on iOS 9, using a computer with an Intel Core i5 CPU (with 6 million passwords per second).
However, an obvious limitation to this attack is that it can’t be performed remotely.
Since the weakness is specific to password-protected local backups on iOS 10, a hacker would require access to your device’s local backup, where the iPhone files are stored.
Elcomsoft is a well-known Russian forensics company that, like market leader Cellebrite, makes money by selling a kit that can hack into iPhones for the purpose of rooting around a target’s device.
The Elcomsoft’s kit was believed to have been used in The Fappening (or ‘Celebgate’) hack, where hackers exposed celebrities’ nude pictures in 2014 by hacking into the Apple iCloud and Gmail accounts of more than 300 victims.