
Latest Android phones hijacked with one-shot Chrome exploit - TrolTure
http://www.theregister.co.uk/2015/11/12/mobile_pwn2own/
======
Maarten88
Am I alone being amazed that we still have not experienced an Android worm or
virus shutting down all mobile networks globally for a few days? I remember
Slammer, which brought down many corporate networks and severely impacted all
internet traffic. With all these unpatched phones and so many vulnerabilities
it seems a matter of time before something like this happens on a grander
scale in mobile networks.

Would it be that the bad guys have become smarter and there is more money in
silently p0wning devices? Or is network management able to stop such events
from happening nowadays?

~~~
cptskippy
Corporate Networks 10-15 years ago are like the Canadian US border, where as
today they're more akin to the North Korean South Korean border.

10-15 years ago everything was on the same LAN except for the handful of web
servers you might have plugged into the DMZ port of your firewall and every
client was implicitly trusted. Today we have VLANs for everything and
segmentation is done purely for organization aesthetics. Switches can
dynamically provision ports based on the client connected. Wired clients and
wireless clients reside in different segments with different restrictions.
Open network ports in unsecured areas, like conference rooms, are on highly
restricted VLANs. I've even seen segmentation based on client MAC addresses
where unknown devices were just routed back to themselves for everything.

Back then Email servers accepted connections from anyone and would relay just
about anything no questions asked, today email servers are locked down and
very suspicious of one another with DNS records (SPF, PTR) for verification.

There are security appliances sitting on the edges of network monitoring all
inbound and outbound traffic as well as appliances in the network watching the
too and fro. We have software clients sitting on desktops monitoring traffic
and blocking malicious or harmful requests as well. Software firewalls are now
standard and turned on by default.

On top of all that, Mobile Networks are distributed with each cell tower being
it's own insular network with a secure WAN connection over an ISP back into
the central network with all manner of port filtering in place.

------
devit
This is why you should use Firefox for Android: it's a great browser (even
offering extensions such as uBlock Origin), but it has very little marketshare
and is thus unlikely to be attacked.

This is also part of the reason a frequently updated Android distribution
(Nexus or CyanogenMod) might in fact be more secure than iOS, where you are
forced to be vulnerable to Apple's Webkit engine.

The same reasoning also applies to such updated versions of Android: the vast
majority of people use outdated Android versions, so it's less likely that
people would bother developing exploits for the latest Android version, as
opposed to the latest version of iOS.

Obviously this is a self-defeating prophecy, but hopefully a proper securely
isolated mobile OS will become available before things change.

~~~
blisterpeanuts
So, are there more exploits for iOS out there? I had the impression that
Android has more. Also, this particular one is a browser JavaScript problem
that affects multiple android versions, is it not?

~~~
mtgx
> So, are there more exploits for iOS out there? I had the impression that
> Android has more.

But that was his point - he was referring to _Nexus-only_ (or CyanogenMod),
not "Android", where 87% of the devices are vulnerable to least one of the 11
vulnerabilities tested below, because of their lack of (fast) updates:

[http://androidvulnerabilities.org/](http://androidvulnerabilities.org/)

~~~
blisterpeanuts
He said:

 _a frequently updated Android distribution (Nexus or CyanogenMod) might in
fact be more secure than iOS, where you are forced to be vulnerable to Apple
's Webkit engine._

I took that to mean that Apple devices are more vulnerable because they are
infrequently updated, as compared to Android. Google and its partners do
release fairly frequent (every 3-4 months) dot releases of webkit, Chrome, and
the entire OS, to add features and address vulnerabilities.

By contrast, Apple's release schedule is rather monolithic and their superior
security is based on a more tightly controlled platform.

------
Spittie
Play Services have a way to install applications in the background
([http://stackoverflow.com/questions/23695170/how-to-
install-a...](http://stackoverflow.com/questions/23695170/how-to-install-
applications-programatically-without-opening-play-store-as-googl)) that does a
signature check, and refuse to work if the request didn't come from a Google
App. Maybe they found a way to call that from Chrome's v8?

What makes me think so is that they claim to have installed a "BMX Game"
(which I guess is on the Play Store), and I don't see any claim of it being
automatically launched after the installation (Android >2.3 should block
that).

That would be much better for Android than the alternatives. As far as I can
tell, applications can only install stuff in the background if they are system
applications (live into some /system subfolder, which Chrome does when
preinstalled/installed from a GAPPS package) AND declade the
"INSTALL_PACKAGES" permission in their manifest (Chrome doesn't).

That should be the only way, apart from getting root (but I guess they would
have just said "we got root" then).

EDIT: Obviously all of this is just a guess. I'm just happy that there is no
Chrome on my phone :) (but the WebView on Android 5.1 is based on Chromium -
so i wonder if that's exploitable as well?)

~~~
ce4
Wouldn't Chrome be able to auto login on the play store website and click the
install button there? There have been XSS attacks on the play store website
allowing this before.

Edit: I had this in mind [https://jon.oberheide.org/blog/2011/03/07/how-i-
almost-won-p...](https://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-
pwn2own-via-xss/)

------
gcb0
i never understood why even tech ppl are OK using phones like clueless people
used computers in the 90s.

vendor toolbars and bundled applications? check. saved logins on banks and
everything else? check. no firewall? check. ads everywhere? check.

get your crap together, everyone.

~~~
x1798DE
Do you know people who actually do this? I'm deeply uncomfortable when I get a
new phone that doesn't have a CM / custom ROM out yet, because I need to be
able to lock everything down myself. I assumed other tech literates did the
same.

~~~
gambiting
Really? I am the exact opposite. Few years ago I would always run a custom
firmware on my android phone, now I wouldn't touch a rooted phone with a
bargepole. Mostly because none of my bank apps work on rooted phones, but also
because CM was always an unstable affair for me - fantastic at the beginning,
more and more annoying the longer I use it. The "customization"(which I used
once to change some icons) is simply not worth the loss of stability.

~~~
heroh
you run your devices without any care for all the background datamining,
constant analytics, access to your PII, facebook social graph etc.? you
oughta'be ashamed of yourself.

------
headmelted
Even by Android standards, this is pretty shocking.

Being that this a one-shot exploit that the author believes will work on any
Android with the latest Chrome makes it doubly so.

I'd also be more concerned that the exploit is described as targeting V8
specifically, considering how widely it is being used out of the browser these
days.

~~~
mccr8
Browsers are likely the only place people are using v8 to run arbitrary
hostile code.

------
rusbus
Not too surprising, considering the level of complexity in a modern browser
and javascript engine I suppose. I wonder if the next generation of phone
operating systems will have something more akin to a true exo or micro kernel
to help mitigate these sorts of attacks.

~~~
pjmlp
iOS and Windows Phone architecture are already much better than Android in
this regard.

Also Symbian had a relatively good security architecture, with its micro-
kernel and the permissions model introduced in S60 v3.

Android security lags behind, because Google doesn't want to force OEMs and
providers to provide updates. Additionally the OS architecture makes it pretty
easy to extract an APK and reverse engineer it, even if written with the NDK.

But in any case, the best exploits are social and there isn't any help there.

Most of the users get p0wned trying to find stuff for free in dubious sites,
and installing it, instead of paying for the real deal.

~~~
fpgeek
> Android security lags behind, because Google doesn't want to force OEMs and
> providers to provide updates.

What do OEM updates have to do with a security hole in _Chrome_? Despite all
the merger chatter, Chrome isn't an OS-level part Android the way it is with
ChromeOS.

The exploit sounds serious, but once the Chrome team understands it and comes
up with a fix, all Google needs to do to deploy it is publish a new version of
Chrome on the Play Store. I suppose they could add a nudge or two via Play
Services (or otherwise) if people aren't installing the new version, but, in
any case, that's nowhere near the effort required to get an OS update out (and
neither OEMs nor carriers can block the fix).

~~~
pjmlp
First of all, I was replying to " I wonder if the next generation of phone
operating systems will have something more akin to a true exo or micro kernel
to help mitigate these sorts of attacks."

Second, most mobile users use whatever app is labeled as "Internet" on their
phones and tablets. Only savy users get to install Chrome.

Third, anyone using an Android system older than Lollipop won't get WebView
updates.

So on those devices a Chrome update is indeed an OS update.

------
_yy
Does Google Chrome have a sandbox on Android?

~~~
taf2
Also does chrome auto update on Android?

------
blindfly
Will this impact NodeJS which is built on the V8 engine?

~~~
johncolanduoni
I doubt it. It likely requires running a specialized script, and if you are
running arbitrary JS on your NodeJS server/app you are already in trouble.

------
josteink
Happy Android and Firefox user calling in.

My Nexus is still safe :)

~~~
vetinari
I'm also using Firefox on Android (because it is the only mobile browser that
supports extensions).

However, the desktop Firefox regularly tops my 'Apps using significant energy'
list, even when idling.

~~~
epmatsw
Fwiw, the significant energy usage list on OSX corresponds pretty poorly with
real world results. Safari is the most efficient, and Firefox is actually
slightly better than Chrome.

What does the OS X Activity Monitor’s “Energy Impact” actually measure? |
Nicholas Nethercote [https://blog.mozilla.org/nnethercote/2015/08/26/what-
does-th...](https://blog.mozilla.org/nnethercote/2015/08/26/what-does-the-os-
x-activity-monitors-energy-impact-actually-measure/)

Chrome vs Safari vs Firefox web browser efficiency
[http://blog.getbatterybox.com/which-browser-is-the-most-
ener...](http://blog.getbatterybox.com/which-browser-is-the-most-energy-
efficient-chrome-vs-safari-vs-firefox/)

~~~
vetinari
Thanks for the links, especially the Nicholas Nethercotes' blog is very
interesting.

To be fair, Google is working on the Chrome efficiency:
[https://plus.google.com/+PeterKasting/posts/GpL63A1K2TF](https://plus.google.com/+PeterKasting/posts/GpL63A1K2TF)

