Quadrooter – major security bug in Qualcomm Android drivers

Check point software claims to have found what it calls a serious vulnerability in Qualcomm software running on LTE chip-sets used in many Android ‘phones. Apparently they informed Qualcomm about six months ago, and they’ve now modified their drivers to stop it in future, and issued patches, but I doubt many of the 900,000 of the devices already sold with the LTE chips will end up being patched. LTE is two-thirds owned by Qualcomm.

Check Point has released an App to check whether your phone is vulnerable, but it’s up to the device manufacturers to actually push the patch on to their users. The major ones may, but the majority of handsets are of the cheaper variety, sold in third world countries, and not as well supported.

Normally I’d treat stories like this with a bit of caution, and I’ve yet to fathom exactly how ti works. However, Check Point’s description is scary – and the Israeli company isn’t known for hype. Basically, the flawed Qualcomm chip-set drivers have flaws that allow a downloaded App to gain root access without the need for any unusual permissions. This is bad.

Check Points advice is to only trust Apps installed from Google Play, which is ironic given that as recently as this May they released a report saying you shouldn’t trust Apps from Google Play as too many nasty ones crept in.

Android Stagefright bug gets serious

AndroidLogoSThere’s a bug in all by the most recent versions of the Android operating system that can theoretically allow attackers to take over the device simply by viewing a web page or downloading a media file. It’s actually in the Stagefright library, and was the talk of Black Hat last August. Then it was considered hard to exploit, but security researcher Hanan Be’er at  North-Bit in Israel has now published a paper proving it’s very dangerous.

Stagefright is the name of the media processing library found in all versions of Android you’re likely to find. It opens and reads any media downloaded to the device. With a specially crafted file you can cause it to crash when it does this; you don’t have to even play the file. However, it has been difficult to make use of this fact to “break out” and do anything more nasty.

Since Android 5.0, a system called Address Space Layout Randomisation (ASLR) has been in use. Basically the memory space is shuffled randomly so malicious code doesn’t know where anything else is, making attacks more difficult. This made exploiting Stagefright’s flaws a lot harder. The fact that the problem exists on Android 2.2 to 4.x, which doesn’t do ASLR, has been the subject of much complacency. Google has released fixes for the bug, known as CVE-2015-3864, but by no means have all the Android devices been updated. I guess that the vast majority have not, including the recent ones using Android 5.x. The infrastructure for updating Android simply doesn’t exist. Apple’s devices are very exploitable, but at least they have a mechanism for updating them.

So how does the North-Bit exploit work? It’s actually very straightforward. First you deliver a dodgy video file to the device; putting it on a web site is the obvious, easy method. This will cause Stagefright to crash and restart in a known state. When it does this, some JavaScript running on the same page slurps various parameters on the system, such as the current location of libc, and sends it back to the attacker. A new video file is then created and sent using this information, and it’s game over – possibly after a few tries, but North-Bit says the exploit is reliable.

How worried should we be? I’d say we should be very worried. Unless your device manufacturer and/or mobile network rolls out the patch, I can’t see any mitigation.

iZettle contactless payments on American Express (Amex)

Since I reviewed iZettle’s new contactless card reader there have been a few updates to the App, and after the initial teething problems I’m happy to report that it’s been working flawlessly hereabouts.

iZettle Bluetooth Card Reader
iZettle Bluetooth Card Reader

The latest update is to support contactless payments on American Express. This came as a bit of a surprise, as I assumed it already did! It just goes to show how important Amex is…

You need to do a firmware update. You get this by connecting to your tablet/phone and running the iZettle App. Then go to Settings/Card Readers and select Update. I’ll let someone else try it first, as I can live without the functionality for a while longer.

This does not, of course, work on the freebie iZettle reader – only the Bluetooth one that you pay money for. Don’t be cheap – it’s good!

This update means support for contactless covers Visa, MasterCard, Applepay and Amex. I have to say that I’ve yet to find a card in the UK it couldn’t use, one way or another.

iZettle now works with Apple iOS 9(.1)

I’ve just had a note to say that Apple has released a new version of its smartphone/tablet system that fixes the bluetooth bug in version 9.0 that prevented iZettle readers to connect using Bluetooth. So fanbois can now upgrade their fondleslabs without cutting of their revenue stream.

For details see here: https://www.izettle.com/gb/help/articles/2122036

On the Android front, teething problems with iZettle 3.0 software  – the one that works with contactless – seem to have been fixed with version 3.0.1, although 3.0.2 also turned up a couple of days ago. Given some harsh testing with me, it was impossible to get version 3.0.1 confused by turning things on in the wrong order. However, some people have taken to the play store to say it’s still broken. It could be that its incompatible with their handsets (they don’t say which version of Android they’re using) – it could also be that it’s the cable connected version, which always seemed to be on the cusp of working reliably at the best of times.

While they were at it, they’ve fixed a few oddities in the user interface, so you can now just put through a payment without having to add it to the cart first (one of the points I made in the original review).

I’d be interested to hear details if anyone is still having trouble, and I may be able to help.

Edward Snowden says smartphones can be taken over by text message

Edward_Snowden-s
Edward Snowdon – is he having a laugh, or is it BBC Panorama

The most incredible revelation has just appeared on the BBC News web site. Apparently Edward Snowdon has revealed in a Panorama interview that smartphones can be taken over by sending them an SMS.

“The former intelligence contractor told the BBC’s Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners’ knowledge.” it begins. It continues with “Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in.”

That’s pretty specific, and as I said, incredible. For anyone with a shaky knowledge for the English language, “incredible” means difficult or impossible to believe. If it were true, then one of the following must also be true:

  1. All the handset makers in the world would have to pre-install a wedge to intercept SMS traffic before the OS got to the hardware.
  2. Apple would have to be in on it; and there would have to be something hidden in the publicly available Android source code that no one had noticed.
  3. All the hardware used in smartphones would have the ability to intercept SMS and implement a hypervisor to manipulate the OS in way I can’t even comprehend (and with the chip maker’s collusion.

None of the above strikes me as very likely, so if there is any truth in it, what could it be?

The obvious answer is that GCHQ and the NSA have some dodgy Apps which, if you install them and give them permission, could do things on receipt of a SMS. Not such a big deal – criminals are doing this and I’d be surprised if governments weren’t in on that game too. He could also be referring to known exploits in some phone OSs that could be used to compromise its security. But the BBC quote is clear that this is something “new”, and applies to all, or at least the majority of smartphones. It does not say “some handsets”; the implication is clearly that all handsets can be pwned by the spooks whenever they want. I’ve kept the text of the original article, as I suspect they’ll be needing to change it!

It could also be that Mr Snowden is being grossly mis-represented in a case of sloppy journalism, or in a deliberate attempt to hype the forthcoming Panorama program. The term “encrypted text message” rings an alarm bell here; no one who knew anything about the subject would have used the word “encrypted” to refer to a specially crafted or encoded message.

Or it could be that the publicity-seeking Mr Snowdon has sold some credulous hacks a fairy story and they’ve lapped it up.

Stagefright on Android

This is a quick post as I’m a but busy at the moment, but it’s worth saying something about it this serious Android security flaw.

As I understand it, there is a buffer over run problem with the decoder for MMS messages. On receipt and decoding of a specially crafted MMS an attacker can get control of the process,
which on Android 4 or later means access to SD card data, your camera and microphone and other awkward stuff. On Android 2 they get the whole phone. I’ve yet to be convinced that this is a game over type problem on Android 4 but it bad enough. On earlier versions of Android, it’s a complete disaster.
The solution, of course, is to get a software update from your phone manufacturer. Good luck waiting for that to arrive.

My advice in the meantime is to disable MMS messages completely. I do this by default, because I think they are ridiculously overpriced and there are plenty of other alternatives such as email or even Instagram (so I’m told buy the teenagers hereabouts).

If you want to disable MMS, proceed as follows:

Go to phone settings. The last entry under Wireless and Networks will be More…

Here you will find “Mobile networks”, and under there will be ” Access point names”. On dual SIM phones you will now have to choose each SIM in turn, otherwise you’ll go straight to a list of profiles. This list may contain only one entry.
Choose the entry that is selected, i.e the one you are using. What you will find next depends on the version of Android you have. However somewhere down the list there will be an MMS service centre URL, beginning with HTTP and looking like a web address. Simply delete the contents of this field, and while you are at it, remove the entry for MMS proxy if you have one. This tends to be a dotted quad i.e. an IP address.

Just save this, and you will not be able to send or receive MMS messages from your phone.

Does the iZettle card reader work on Android 5.0 (Lollipop)?

The iZettle card payment system is well worth a look. The company is very SME friendly, unlike the traditional card handlers. There’s no standing charge or transaction charge and the their percentage cut is fair.

Unfortunately they’re all Apple Fanbois, in spite of Android having 90% of the mobile market, and functionality on the most important platform lags. Everyone complains about it. But they’re such nice people when I speak to them on the phone, I still like them.

One case in point is that iZettle have finally launched a contactless reader. Yeah! Unfortunately the contactless feature only works on Apple, although my sources say that an Android upgrade is in development.

The contactless reader replaces the bluetooth-connected Pro version. In fact it’s the Pro version with a NFC reader built in, and it costs an extra £10, at £80+VAT (bargain).

If you’re a real tightwad there’s the £30+VAT (or free) blue keypad, which is actually quite a solid piece of kit, but it connects to the device using the headphone connector and modulating it’s data with burst of audio carrier (from listening to it). What could possibly go wrong?

Well, having tried it with Android 5.0 (Lollipop) I can tell you that it’s not going to work beyond Android 4.x until they fix the App. Version 2.5.1 of the iZettle App was supposed to support Lollipop, but take it from me, the support is far from complete.

Bluetooth Reader does work

I gave up and ordered the Reader Pro Contactless, the current bluetooth-connected unit, and I’m happy to report that seems to work perfectly. I was up and running within a minute; just pair it and off you go. For what it’s worth, this was with a Doogee DG700 with Android 5.0. iZettle is planning to release an update so it will make contactless payments, and (in theory), this will work.

Note that iZettle replaced the Reader Pro with the Reader Pro Contactless recently. They look the same. I have a hunch the older one will also work.

 

Google Nexus TV uses Atom

The Nexus TV box that Google just announced is the company’s latest attempt to take over the living room (after Chromecast). This one runs Android 5, so punters can download and run apps from Google Play. This will include games, of course, and there is to be an optional games hand controller. However, what no one seems to have noticed is that the NExus TV box has an Intel processor, not an ARM.

Although simple Apps are written in CPU independent Java code, or, strictly speaking, a similar VM either Dalvik or ART depending on which version of Android you. It’s interpreted on the target platform, and therefore slow. When high performance is needed then code has to be written C and compiled to native code (i.e. using the NDK). This hasn’t been a problem thus far, as all Android devices on the market used the ARM core, and were machine-code compatible. I wonder how many games are written this way? Quite a few, probably.

Tesco has also just launched a non-ARM Hudl tablet. The mass media had yet to comment.

Don’t write off the iPhone just yet

This may seem and odd premise, given that Apple flogged 4 million of the new iPhone 6 units as soon as it was launched. It doesn’t sound like a failure. But I’m hearing voices…

The theory is that the smartphone market is saturated. In the US, an often quoted statistic is that 75% of Americans already have one. In the UK, research from Deloitte puts the figure at 72% a year ago, rising at about 15% a year. Selling something everyone already has is not a good place to be.

Then there’s the inexorable rise of Android. Google launched the low cost, very capable and very affordable Android One phone in June. Never heard of it? Well it’s not available in the west – they’re going after the huge third world market, starting with India. There are a billion punters there, eager for the western tech. And the same with China, although they can make their own (as well as handsets for the rest of the world).

Generic Chinese Android handsets are good. I have one. It takes two SIMs at once and works under water, at a fraction of the prices of a western branded unit. Manufactures like Huawei, ZTE and Foxconn own this space and will be hard to shift. Google doesn’t make money from Android, and I doubt that the Android One will contribute much to their balance sheet. But Google is a data capture company, and have Google-controlled smartphones out there is strategically very good.

So, Apple must be doomed – a saturated market and cheaper smartphones that do it better. But that’s never been a problem Apple’s business model.

Apple’s products are aspirational – they say, “Look at me – I’m wealthy enough to spend £100s every year for the latest iPhone and therefore I’m a good prospect when it comes to making babies.” The more they cost, the more people want them. Fanbois may protest, saying that they iPhones work better (not so) and look nicer. Sony sells nice looking kit too, but is forecasting a $1.2B loss from its Android smartphones. The same with HT; it’s just breaking even on declining sales. Samsung is making a good profit ($6B), but there’s a suspicion this has been generated on a huge marketing spend.

Apple doesn’t need to spend too much on marketing. It just has to look cool and remain aspirational.

According to Juniper, shipments of smartphones will be close to 1.2B units this year (with 985M shipped in 2013). That’s a high volume, but if it’s the Android One and low cost units going to emerging markets (those not yet saturated), the bulk of that will be making meagre profit.

Apple, on the other hand, makes a very nice margin, thanks. Fanbois will happily hand over $100s simply to have one with a larger flash memory; several thousand percent more than the memory itself costs elsewhere. They’ll accept that the limited-life battery is ;sealed inside and will die, taking the iPhone with it in a couple of years. They’ll accept that there’s no memory card slot as an alternative to buying the ridiculously expensive internally upgraded models. They’ll even put up with the poor telephone performance; after all the screen looks very nice (don’t tell them that Samsung beat them too it).

I used to work with Cuppertino in the late 1970’s and early 1980’s – lots of people did because the Apple II was a major player; a de-facto standard. Then in 1981 the IBM PC was launched, became the new de-facto standard and Apple was marginalised with the Mac, losing market-share big time until it was less than 10%. 25 years ago I was discussing their demise with Guy Kewney, a good and wise pundit and friend. “You’re wrong”, he said. “The PC market is much bigger. Other PC makers would be very happy to have 9% of the current market, and they have much lower margins than Apple.”

Kindle not on Fire

Amazon has just launched a Kindle for £89 in the UK, beating the price of its previous model by £20. It’s 30% lighter and 20% smaller too. This is no big deal: they’ve simply chopped off the alphanumeric keyboard and replaced it with a few buttons, removed the audio playback and cut the battery size in half.

I don’t think much of it. The original Kindle at £109 (£149 with 3G) looks well worth the extra.

In the US, Amazon has launched additional models: Kindle Fire and Kindle Touch. The Touch dispenses with all keys in favour of a touch screen. It comes with or without 3G and is clearly intended as the new standard model. The Kindle Fire isn’t a Kindle at all – it’s a 7” Android Tablet.

I’m not impressed. They’re using the Kindle brand to flog a fairly standard tablet. I’m sure it’s a fine Android tablet as Android tablets go, but a colour version of the Kindle e-book reader, it isn’t. It’ll rip through batteries at the same rate as every other tablet, and its colour screen will be just has hard to read in bright sunlight – the two problems overcome by the original Kindle’s e-paper display.

Comparing the Kindle Fire to the iPad2: well it’s half the price but lacks the cameras, and has only 8G of storage. It’s also Android rather than iOS (if that matters to you). And it’ll probably be about the same price using Amazon’s exchange rate; and a lot more expensive than other Android tablets already available.

One distinguishing feature is the new Amazon browser – Silk. Whatever else it does, it’s designed to work with Amazon’s cloud servers to cache content and “speed things up”. Hmm. Sounds like Phrom’s notorious Webwise system all over again. Okay if you don’t mind Amazon data mining your web traffic.

Another strange feature is the pricing. The Touch and Fire aren’t available in England yet (the US launch is set for 15th November, no date for here). The US prices for all Kindles are substantially lower.  (Note that the original Kindle has been renamed the Kindle Keyboard).

England USA
Kindle Keyboard   £109 $99
Kindle Keyboard 3G   £149 $139
Kindle (buttons)   £89 $79
Kindle Touch   (£112) $99
Kindle Touch 3G   (£168) $149
Kindle Fire   (£224) $199

The figures in brackets are my calculation, using Amazon’s astonishing exchange rate of $1=89p.  All this talk in the UK media about these new models being cheap is overlooking this point.

It might explain why Amazon isn’t launching the Fire in England any time soon.

Update October 2012

The Kindle Fire is now available in England, from Tesco in fact, with a price tag of £130 including tax. At this price it’s a whole lot more interesting. Both the Kindle Touch and standard Kindle are £70, although the former is on “special offer”. The 3G versions are a lot more. It looks like I was right about the pricing <smug>