Sunday, October 26, 2008

Security Hole Found In Google Android

A team of security researchers found a security hole in the T-Mobile G1 phone that allows for redirecting of the G1’s web browser to a malicious web site.

Charlie Miller of Independent Security Evaluators in Baltimore told the New York Times that he notified Google of the flaw earlier this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.

According to New York times Google executives have acknowledged the issue but said that the security features of the phone would limit the extent of damage that could be done by an intruder. Google says, "the Google phone creates a series of software compartments [boxes] that limit the access of an intruder to a single application."

Essentially each application runs independently of the others, if one is compromised it would have no effect on any of the others.

“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer. He said that the company had already fixed an open-source version of the software and was working with its partners, T-Mobile and HTC, to offer fixes for its current customers.

Typically, today’s computer operating systems try to limit access by creating a partition between a single user’s control of the machine and complete access to programs and data, which is referred to as superuser, root or administrative access.

According to Miller's findings the danger comes from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install keylogger software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords. The basic description of what the ISE team did is posted here.

A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here.

Even though they have already been working on a fix Google complained that Miller didn’t give them enough time to come up with a solution before going public with the flaw.

If the names Independent Security Evaluators and Charlie Miller sound familiar that would be because Mr. Miller and ISE are noted with hacking the MacBook Air in under two mins at this years CanSecWest security conference.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you