
Cyanogenmod Updater vulnerable to MITM attack - mfincham
https://kyhwana.org/blog/2014/02/17/cyanogenmods-updater-vulnerable-to-mitm-attack/
======
kyhwana2
(Whoops, I fucked up a few http/https there. It should say that CM are only
using HTTP, they aren't using ANY HTTPS at all. I had a misplaced sed there)

------
tga_d
So much for a greater emphasis on security. How is this not one of the first
things checked on? Providing encrypted messaging and permissions tuning on
apps doesn't mean a whole lot if these sorts of bugs exist.

------
StavrosK
Yay! How do people make rookie mistakes like these? _Always_ verify
certificates, and, even better, hardcode the cert/CA fingerprint in your
client (so it can't get replaced with a valid cert upstream).

~~~
zimbatm
The issue is not the lack of SSL but to not sign and verify the images. If
they want to use mirrors to distribute the binaries it's a far better
solution.

~~~
gsnedders
You still need to securely fetch the signatures somehow initially. Similarly,
[http://download.cyanogenmod.org/](http://download.cyanogenmod.org/) provides
md5 hashes for downloads but because it's not done over HTTPS you've got no
guarantee that you're getting the right hash to verify the insecure download.

~~~
ivanca
Actually if you just google the MD5 and it shows up in google should work as a
guarantee

(Example:
[https://www.google.com/search?q=b13afc01102c84425ca995469f1a...](https://www.google.com/search?q=b13afc01102c84425ca995469f1a52cf&rlz=1C1EODB_enCO548CO550&{google:acceptedSuggestion}oq=b13afc01102c84425ca995469f1a52cf&aqs=chrome..69i57.170j0j7&sourceid=chrome&ie=UTF-8&hl=en#hl=en&q=bcc77d179af2c7ce66b17bfd5fad100b&safe=off))

~~~
erichurkman
Unless the download page is hacked and Google picks up a spoofed checksum.

They need to sign their updates as well.

~~~
ivanca
Yeah, and Linux is compromised if someone kidnaps Linus Torvalds family in
exchange for creating a backdoor in the Linux kernel.

The security is created by humans to be used by humans; so nothing is truly
safe if <insert random circumstance> happens; and anyway, for cases like yours
the hack would be found after few days when any of the people in charge of the
compiling realizes that the check-sum is spoofed and would advice anyone to
update the OS after the issues is taken care of.

------
sleepyK
CM's commitment to bringing support to legacy devices is admirable, but they
bundle some very annoying, redundant and as OP says unsecured applications
with their ROM packages.

CM Account, CM Updater, Movie Studio, File Manager and CM Wallpaper are all
apps that I uninstall as soon as I flash a ROM to one of my devices.

Their CM File Manager for one is a totally redundant application that hasn't
been updated in a long time, despite being broken (it doesn't work in Super
User mode without done juggling about)

Their CM Account is one other thing that I find totally pointless.

CM would be better off bringing more innovative features to Android instead of
just copying drivers from CAF and changing headers to say CM instead of CAF or
AOSP.

The innovation in the Android ROM community has been coming from Paranoid
Android, AOKP, Omni and Slim ROMs, and from the Xposed community.

They've been reduced to being a repo shepherd for certain devices, but most of
their user base comes from people running "Unofficial" builds compiled by
independent developers.

I think, as a start up, they'd be better off if they focused on features
instead of just trying to market CM Phones that essentially run a Nexus like
build of plain vanilla Android.

------
arca_vorago
All I want is a fully open source phone from the radio firmware up. Android
has been such a disappointment for me as a security conscious person, between
googles questionable open source policies to the carrier hell it gets forced
into and into the blackbox of radio protocols like GSM that far too often have
DMA to the same segments of the CPU.

The whole point of FOSS is to be able to see what's going on, for freedom and
control to the user. At this point I barely see Android as any better than
IOS, aka, a very pretty jail for the user.

~~~
gsnedders
The lack of security advisories for even the major open-source Android
distributions scares me: can anyone imagine if major Linux distributions
provided no security advisories?

I run CyanogenMod Stable on my phone, the kernel build date is given as Sep 23
2013. Are they really meaning to imply that no security advisory published for
Linux after that effects CyanogenMod? Most are purely local attacks, but still
therefore malware vectors, and then there's things like CVE-2013-7027, which
on the face of it should effect Android.

At the moment, I'm running CyanogenMod purely under the assumption it'll be
more secure than the default Samsung installation (no updates in about two
years), as at least it gets updates! Yet, at the end of the day, I see little
to convince myself they are actually keeping up with upstream security fixes.
No Android distribution seems to have a coherent story when it comes to
security advisories, sadly. :( (I have a Galaxy S2, if anyone wants to
convince me to try another distribution/OS!)

~~~
BitMastro
[http://www.cvedetails.com/vulnerability-
list.php?product_id=...](http://www.cvedetails.com/vulnerability-
list.php?product_id=19997&vendor_id=1224)

There are lots of exploits, and every time someone publishes a rooting method
that does not require "fastboot oem unlock" (gingerbreak, ashmem, mempodroid,
exploid, etc) it's one of the CVEs being exploited.

~~~
higherpurpose
I think Google made it a lot harder since 4.3 or 4.4 to root or unlock without
fastboot oem unlock or a similar solution that's given by the OEM.

------
ender89
... So what youre saying is that my galaxy nexus' inability to list cm11 "M"
releases (and forcing me to download them manually when they come out) is
actually a security feature?

------
voltagex_
Another day, another block category.

> Content Blocked (content_filter_denied) > Content Category: "Malicious
> Sources/Malnets"

Any idea why this site would be blocked at $BIGCORP?

