Ask
Reply
Solution
30-07-2015 09:35 AM - edited 30-07-2015 09:35 AM
Hi Vodafone,
You're no doubt aware of the stagefright android vulnerability that has been revealed recently. Whilst it's possible to workaround the security hole by avoiding Hangouts, using a different SMS client and disabling auto-retrieval of MMS messages, clearly this is a significant security issue.
I understand Google has made patches for the vulnerability available via AOSP already; do you have a date as to when you expect the patches to be rolled out to Vodafone device owners - specifically (for my personal interest) HTC Ones and Samsung Galaxy phones?
30-07-2015 09:50 AM
Hello.
Welcome to The Vodafone eForum which is a Customer to Customer help forum.
I seen similar reports.
I'm sure the Networks are on this.
Something similar from BBC News Tech. ”A bug in the Android mobile operating system has been discovered by researchers, who say it affects nearly a billion devices. The flaw can be exploited by sending a photo or video message to a person's smartphone, without any action by the receiver. Google said it had patched the problem, but millions of devices still need their software updating. The researchers said the flaw was "extremely dangerous". Researchers from US information security company Zimpherium said they believed it was one of the worst Android vulnerabilities to date, estimating that 950 million devices were affected. Hackers were able to send malicious code within a multimedia message that could access a service within Android called Stagefright. After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code. "These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited," the researchers wrote. Further details on the flaw will be revealed by the team, at the Black Hat security conference in Las Vegas next week. James Lyne, global head of security research at security company Sophos, said the flaw affected a "massive array" of phones running Android version 2.2 and higher. "On some devices, the privileges at which this runs means an attacker could access all kinds of content on your device or access resources such as the camera," he said. Rush to patch Zimpherium's researchers notified Google, which subsequently produced a patch to fix the problem. However, millions of devices currently remain unpatched because hardware manufacturers and mobile operators have to distribute updates to customers themselves, and customers can reject updates manually. In a statement, Google said: "This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no-one has been affected. "As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. "And, we'll be releasing it in open source when the details are made public by the researcher at Black Hat."
Current Phone >
Samsung Galaxy s²³ Ultra 512gb Phantom Black.
30-07-2015 09:56 AM
30-07-2015 10:24 AM
Thanks for that. I'm aware of the implications of the vuln, and how to work around it (per my original post). My question is very specific though - when will Voda roll out the patches for this?
I understand that normally vodafone don't predict when OS updates will be available via OTA, due to a number of factors, but it feels like they should provide some clarity here as to whether we can expect this particular patch to be deployed within days, weeks or months.
30-07-2015 11:23 AM - edited 31-07-2015 03:41 PM
One of the things I read mentioned that some messaging apps preload messages to speed up access. Google Hangouts was the one quoted, but others may do so as well. I think the implication was that the standard message app doesn't and therefore that you'd be safe as long as you didn't opne any suspect message. That wasn't explicitly stated, though, but it might be an idea to switch back to something vanilla until you've got the patch.
Edited to add: I have an unbranded HTC One M9 (ie gets its updates straight from HTC with no network involvement) and that hasn't had a patch yet.
07-08-2015 02:54 PM
I haven't seen any indication from VF as to when they are going to do something about this. Also the Certifi-gate vulnerability.
How about it Vodafone?
Until there is a working patch system in place I cannot recommend Android. All OSs will have vulnerabilities, but it seems that Android is unique in not having a functional patching system. Probably because there are so many different versions. But they should have thought of that. If one ot these problems gets exploited on a very wide scale, and the carriers do nothing, that will be the end of Android.
07-08-2015 03:12 PM
Saying "I cannot recommend Android" is a bit daft.
Anyone not already on Android will be buying a brand new device, and of all Android devices, they are the ones that are most likely to be immediately patched. Some new devices may already have the patch already. Also, you can recommend Nexus, which will be patched immediately.
Secondly, if you're giving somebody advice about Android, just tell them to disable auto-retrieve and avoid MMS. Then the vulnerability is neutralised until they get patched. Whilst it's a big hole, it's exceedingly easy to plug from the end-user perspective.
07-08-2015 03:46 PM
So far the carriers have not shown that they can distribute and apply patches in any timely way. Nothing seems to be "immediately patched" at all.
But you are right about Nexus, I'd forgotten that. Having to use Nexus is a severe limitation of choice, but then so is iPhone, so it's a fair point.
07-08-2015 04:02 PM
Hi all
The security of our customers is our highest priority. Google has stated that currently 90% of Android devices have a technology called ASLR enabled, which offers protection to users from the Stagefright issue. We are also working with our handset suppliers to urgently enable the roll-out of security patches on devices used by Vodafone customers. This will fix all identified vulnerabilities. Some devices are already patched and others will be updated as quickly as possible. In addition, we will continue to monitor the threat level and work at the network level to protect our customers.
Thanks
K