Tag Archives: vulnerability

5 Year Old Qualcomm Bug Leaves Many Phones Vulnerable

A 5 year old bug in a Qualcomm chipset used in many Android phones allows a hacker to elevate their privileges and read SMS and call history data, change system settings or disable the lock screen.

Hackers could exploit this bug by having physical access to an unlocked phone or by getting a user to install a malicious app.

The bug affects older versions of the Android OS, like version 4.3 and earlier, the most.  Since that software is likely not supported by anyone, those phones likely will never be patched.

The Android OS added something call Security Enhancements for Android in version 4.4 which reduces significantly but does not eliminate the problem.  This is the main reason why Apple tries really hard to force people to upgrade OS versions, even if it means that they have to trash their old phones.

Congress is now investigating the issue of OS support in old phones (yes – we’re from the government and we’re here to help you), however, that is unlikely to change anything any time soon.

Google released a patch for this bug on May 1, but given the carrier’s track record at releasing patches, it is likely going to be months before most users see that patch – if ever.  Google says that Nexus phones are not vulnerable to this – I assume this means that they do not use the Qualcomm chip that is at the heart of this problem,

For any given user, it would be difficult to figure out whether their particular phone is susceptible, but users running Lollipop (V5) and Marshmallow (V6) are likely least affected.

One more time, Apple beats Google because they control the supply chain end to end.  In a closed world, where one company makes the phones and the OS, they can force patches quickly.  In the Android world, Google can release patches and patch their Nexus phones, but have very little control over the  handset makers like LG and Samsung or the Carriers like AT&T or Sprint.

Congress could potentially have some impact here, but I am not counting on them doing anything smart.  They do not seem to have a good track record.

 

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather

In Honor Of Super Bowl Week – NFL Mobile App Is Like Swiss Cheese

Dark Reading is reporting that the NFL mobile app has a few problems in it – not so much different than NFL officiating.

Wandera performed a scan of the app and discovered that after a successful login, the app leaks your credentials in an unencrypted API call.  In addition, it leaks your login name and email address too (which is probably enough to do a password reset).

That is enough, they say, to get the hacker into the user’s NFL web page, which is also unencrypted, which would allow the hacker to siphon off your address, phone number, occupation, date of birth, gender, if the user entered that in their profile.

As a side note, all they use that for is to push ads to you, so if possible, I recommend NOT entering that data and if they require you to do so, then enter bogus data. You may have to enter an occupation, but who says that you are not a mortician or clean septic tanks for a living.  There is no data validation.  And, as you go from site to site, enter different information – just to mess with the ad data people.

Anyway, back to the NFL.  Wandera did not try making a purchase, but given the above information, the security there is pretty suspect as well.

Since many users reuse passwords, getting their NFL.com password may give the hacker access to someone’s email or Amazon account too.

I recommend that if you are going to reuse passwords, break them into categories.  One category I call trash sites are sites that have the lowest possible security needs and least sensitive data (at least as long as you told them that you were 92, female, lived in Paris, France and were a jockey).  The NFL.com site would fall into that category.  At least that way, if that password was compromised, nothing else important would be compromised.

But here is the best part.  The NFL, like politicians, love to spin things.  Their answer to this issue was:

According to an NFL spokesman, the league is aware of the vulnerability and has made fixes to protect users on the back-end of the app, so no updates are necessary.

Obviously, this answer is total bulls&*t, but they probably figure most fans will trust them implicitly – like they trust the referee’s calls.  There is NOTHING they can do, technically, on the back end to fix this problem.  Can’t be done.  Total lie.

My suggestion is don’t fill out your profile and don’t purchase anything from their web site – buy stuff somewhere else.

Mitch

Facebooktwitterredditlinkedinmailby feather