You can partially mitigate the risk by disabling auto-downloading of MMS messages in whichever app you have set to handle text messages, such as Messaging or Hangouts. THIS IS URGENT. While the precise details of the flaw have not been publicly disclosed, this disclosure is sufficient for a skilled person to rediscover the flaw, which means that there is a considerable risk that someone will systematically use it on all the phone numbers.
edit: Ah it's in the actual hangouts app that you have to go to settings. Also if those settings are greyed out then you might not have Hangouts handling your SMS messages, so run the Messaging app instead and go to its settings to disable auto open of MMS.
Edit: Messaging (default app) doesn't have this setting, but Messenger does. I tried Hangouts for awhile but didn't like it.
now if you want to make calls from your gvoice number, you must use hangouts.
funny how they think forcing newer apps is the solution to the g+fiasco
Contrary to the NPR article, somebody further down this page said this hack may affect Messenger users too. So I'm sticking with Hangouts!
That seems unlikely given that the researcher hasn't publicly released the details of the hack, and he says that "he does not believe that hackers out in the wild are exploiting it".
Whether it has actually been used, given the value of the bug, is a different story. But it should absolutely be treated as "in active use" already, especially by state or state-sanctioned actors (like Hacking Team).
We do not have a 100% reliable way to determine whether an exploit is known by others (and likely never will have), and as such there is only one reasonable assumption left to make: assume that it is out in the wild and known by others.
This isn't a new concept - threat modelling requires that you assume every worst-case possibility is reality, so that you can guard against it. This was formalized in the 19th century as Kerckhoff's Principle, and undoubtedly existed before that in military circles. This applies equally to software security.
So given that we simply don't and can't know whether it is out in the wild, the most 'correct' assumption is that it is - because that lets us protect ourselves against that worst-case scenario, which may or may not be the case.
Are you refuting that fact, or are you not refuting that fact?
Some of them could be rootkits, and have patched filesystem and process explorers to hide themselves. Some could be called virus.exe.
But no, you will never know that you haven't been compromised. In the coming weeks, we may learn about some of the specific malware that spreads this way, and you may be able to test your phone for it, but finding nothing does not mean you haven't been owned by something more exotic.
very convenient timing for all that.
Did they edit their comment between the time you quoted it and the time I posted this comment? Or did HN's quirky rules regarding newlines (gotta put two if you want to display one) change the meaning of your comment?
they may also blast texts out to android only phone numbers (maybe if you gave your phone number to an android app)
Is that possible? I haven't touched iOS in a long time.
When you send a text message from one iOS device to another, it will be blue if it was sent via iMessage, green otherwise.
Again, not sure how this could be automated en masse, but I'm sure it's possible.
Nuking MMS from orbit won't patch your phone.
- They don't read hacker news so they aren't aware of this.
- They won't be able to disable auto downloading of MMS even if they did hear about it (think grandparents)
- They won't ever get an update to their Android phone to fix it (or be able to update it if one arrived)
Instead, why don't Android phone updates work like Chrome's updates do? I installed Chrome v1 years ago on my parents computer and today they are running version 44 (without any intervention on my behalf). They are fully up to date and protected without them having to even know about or run any sort of update.
Why? Why, if it is known to be a poorly written library, is it still part of an official release? And why the hell are client messages allow to specify the level of media down to the library linkage? Wtf.
The author is trying to build up hype for their vulnerability. Maybe if they shit on stagefright enough they can even start selling t-shirts.
To quote moxie:
"We don't do any pre-processing that involves stagefright. There are no technical details at all available about this vulnerability (for maximum hype), but you'd have to physically tap on the media and then click through a warning about playing media insecurely before stagefright got involved."
See also: https://news.ycombinator.com/item?id=9959070
It's also probably possible to extend the patches to detect malicious input.
Someone could probably also create a video with a payload to hot patch libstagefright.
This is brilliant. Assuming that it doesn't cause further problems.
Here's a more modest idea: Google should immediately issue update for Hangouts and Messenger app that at least disables automatic MMS retrieval. Many users have automatic updates for those apps turned on or maybe at least they'll see a notification about app needing approval to update.
Edit:And I say this because even though old phone don't get updated, their apps do. Tenuous at best, but still better than nothing.
Yes, I know that Hangouts has GV integration, but it's pretty subpar. There isn't, for example, a decent Hangouts Chrome extension.
The caveat is that MMS media attachments are not accessible in either the Google Voice Android app, or the web UI. They are (IME) only delivered as attachments to the email copy of the MMS.