12-11-19 02:23 PM
63 123
tools
  1. bb10adopter111's Avatar
    Recently, security researchers Checkmarx announced a very serious vulnerability in Android phones that affects hundreds of millions of users. So far, Google and Samsung have admitted that their phones are affected, but the reality is that most other Android phones, including BlackBerry Android, may also be affected. Sometimes we get so used to these announcements that we treat them as background noise, but that's a mistake.

    It's worth noting the way this set of vulnerabilities operates:

    The vulnerabilities themselves (CVE-2019-2234) allowed a rogue application to grab input from the camera, microphone as well as GPS location data, all remotely. The implications of being able to do this are serious enough that the Android Open Source Project (AOSP) specifically has a set of permissions that any application must request from the user and be approved before enabling such actions. What the Checkmarx researchers did was to create an attack scenario that abused the Google Camera app itself to bypass these permissions. They did so by creating a malicious app that exploited one of the most commonly requested permissions: storage access. “A malicious app running on an Android smartphone that can read the SD card,” Yalon said, “not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will.”
    One might ask, "How the Hell can it be so easy to bypass user permissions for something as critical as the camera, microphone, and GPS?!" And, that's a very good question. The answer is that Android has erred on the side of adding features and making things convenient for users to the point that it's simply irrational to place much trust their security model. GPS, camera, and microphone access are about as fundamental to privacy and security as any feature can be on a phone, but, at the same time, users want their phones to operated seamlessly as they create photos and videos and scroll through their media to share them with their contacts and social channels. Rather than make it slow and inconvenient to share media between applications, Android has erred on the side of functionality over security, as a design principle. The result is that readily exploitable vulnerabilities like this are all too common.

    I know from experience that some people on these forums will say that this isn't a big deal. I have nothing to say to those who do not think that the things they do and say while using their phone deserve protection. For those, like me, who think that a HUGE vulnerability like this should not be possible in the first place, I can only say that I believe you're right. But, building in such safeguards would require a completely different set of design principles, with security at the core, than is exhibited by the Android development team.

    For more on this set of vulnerabilities: https://www.checkmarx.com/blog/how-a...android-camera

    A video of the Proof of Concept was posted on YouTube:
    Last edited by bb10adopter111; 11-19-19 at 03:57 PM.
    Tsepz_GP, zephyr613 and Invictus0 like this.
    11-19-19 03:37 PM
  2. Dunt Dunt Dunt's Avatar
    Recently, security researchers Checkmarx announced a very serious vulnerability in Android phones that affects hundreds of millions of users. So far, Google and Samsung have admitted that their phones are affected, but the reality is that most other Android phones, including BlackBerry Android, may also be affected. Sometimes we get so used to these announcements that we treat them as background noise, but that's a mistake.

    It's worth noting the way this set of vulnerabilities operates:



    One might ask, "How the Hell can it be so easy to bypass user permissions for something as critical as the camera, microphone, and GPS?!" And, that's a very good question. The answer is that Android has erred on the side of adding features and making things convenient for users to the point that it's simply irrational to place much trust their security model. GPS, Camera, and microphone access are about as fundamental to privacy and security as any feature can be on a phone, but, at the same time, users want their phones to operated seamlessly as they create photos and videos and scroll through their media to share them with their contacts and social channels. Rather than make it slow and inconvenient to share media between applications, Android has erred on the side of functionality over security, as a design principle. The result is that readily exploitable vulnerabilities like this are all too common.

    I know from experience that some people on these forums will say that this isn't a big deal. I have nothing to say to those who do not think that the things they do and say while using their phone deserve protection. For those, like me, who recognized that a HUGE vulnerability like this should not be possible in the first place, I can only say that I believe you're right. But that building in such safeguards would require a completely different set of design principles, with security at the core, than is exhibited by the Android development team.

    For more on this set of vulnerabilities: https://www.checkmarx.com/blog/how-a...android-camera

    A video of the Proof of Concept was posted on YouTube:
    Any yet you hype the security of BB10 based on it lack of marketshare.... My view is at one time heads of the G6 and some governments once used it.... thinking no one every bothered is more like sticking your head in the sand and hoping for the best.

    Most every OS I know of that's getting actively tested by White and Black Hats... has vulnerabilities, the key is to have them reported and patched ASAP. Linux, Android, Windows, MacOS, iOS even QNX.... The really scary things are when it's the underlying hardware designs that we have used for decades that are found to be at fault.... who says a blackhat (or government) didn't find those long before a nice white hat reported it.

    So the only solution I know is to use a device that is tested and updated. For phones there is really only two options. I wouldn't even consider Sailfish (especially now that Russia is in it guts) and stuff like LineageOS - I doubt they qualify for any security certificate.
    TgeekB likes this.
    11-19-19 03:59 PM
  3. TgeekB's Avatar
    Any yet you hype the security of BB10 based on it lack of marketshare.... My view is at one time heads of the G6 and some governments once used it.... thinking no one every bothered is more like sticking your head in the sand and hoping for the best.

    Most every OS I know of that's getting actively tested by White and Black Hats... has vulnerabilities, the key is to have them reported and patched ASAP. Linux, Android, Windows, MacOS, iOS even QNX.... The really scary things are when it's the underlying hardware designs that we have used for decades that are found to be at fault.... who says a blackhat (or government) didn't find those long before a nice white hat reported it.

    So the only solution I know is to use a device that is tested and updated. For phones there is really only two options. I wouldn't even consider Sailfish (especially now that Russia is in it guts) and stuff like LineageOS - I doubt they qualify for any security certificate.
    It’s nice to hear someone with common sense on these forums. I am not going to hide behind a faraday cage.
    ppeters914 and Flatman like this.
    11-19-19 05:02 PM
  4. i_plod_an_dr_void's Avatar
    It’s nice to hear someone with common sense on these forums. I am not going to hide behind a faraday cage.
    I dunno....I don't mind having the front door locked in the office or at home. Have yet to see anyone in a city open their house to the radical sharing economy 24/7. Your smartphone should legally be declared part of your personal person or private abode. Now of course if I was a retailer, I need to keep the register locked and the store at night. It is a massive scandal of the century that mobile privacy is just a private joke of those supplying smartphone operating systems and social media apps. Even bb10 could have used privacy improvements vis-a-vis 3rd party apps., but the rest....just wow. The original pc didn't initially require this, because they weren't networked...but smartphones were designed explicitly to be networked. Its funny how technology from the 1960's did a better job of protecting privacy than newer OS's with supposed advances in technology. If you fell asleep in the 1960's and woke today...you'd be like, what? they're worse today for privacy than ever.

    When someone makes an actually functioning faraday cage as cheap and convenient as zip-lock sandwich bags, you can bet they would fly off the shelves.
    Flatman likes this.
    11-19-19 08:59 PM
  5. bb10adopter111's Avatar
    You're completely entitled to manage your own data anyway you like, but if you work for a company responsible for other people's data, you have a responsibility to protect it.

    This is why BYOD is a huge fail, IMO. People should carry whatever phones they like, but work devices just need to be locked down with absolutely no 3rd party apps that aren't approved by IT.

    What's awful about these vulnerabilities is that they are 1) really easy to exploit; and 2) completely impervious to the normal protections used by EMM solutions. It's a gaping hole that should not have been possible under any circumstances, and it shows what a fragmented mess Android permissions still are under the hood, despite the illusion of greater control that we've seen since Marshmallow.

    The other lesson is simple, ALL SENSORS ARE VULNERABLE. There's a reason that many enterprise laptops in critical infrastructure sectors are ordered without web cams.
    11-19-19 09:10 PM
  6. howarmat's Avatar
    Yeah this is pretty creepy stuff. I mean its fairly easy on any platform to make an app to do nothing but bad things. All they need is the user to hit "yes" to the permissions. But this seems a step beyond that even!
    11-19-19 09:17 PM
  7. bb10adopter111's Avatar
    Any yet you hype the security of BB10 based on it lack of marketshare.... My view is at one time heads of the G6 and some governments once used it.... thinking no one every bothered is more like sticking your head in the sand and hoping for the best.

    Most every OS I know of that's getting actively tested by White and Black Hats... has vulnerabilities, the key is to have them reported and patched ASAP. Linux, Android, Windows, MacOS, iOS even QNX.... The really scary things are when it's the underlying hardware designs that we have used for decades that are found to be at fault.... who says a blackhat (or government) didn't find those long before a nice white hat reported it.

    So the only solution I know is to use a device that is tested and updated. For phones there is really only two options. I wouldn't even consider Sailfish (especially now that Russia is in it guts) and stuff like LineageOS - I doubt they qualify for any security certificate.
    I absolutely do NOT hype the security of BB10 based on its lack of marketshare. Show me the post where I've done that.

    All things being equal, I completely agree that It's always better to have a researched and patched system. BUT ALL THINGS ARE NOT EQUAL. Android is a mess when it comes to the integrity of the OS because it's permission system is duct tape and spaghetti. That's why encryption and containerization with an EMM solution is so important. But these vulnerabilities break that security model completely, and that's the big deal.

    The ONLY reason BB10 is probably STILL more secure than Android IMO is that it's attack surface is exponentially smaller. If you begin with completely stock versions of both devices, BB10 is much more restrictive and locked down. Then, when you add the dozens of 3rd party apps that most users install, there are just too many ways to compromise an Android phone.

    On the other hand, there is no question that a patched Android phone running updated 3rd party Android apps is much more secure than a BB10 phone running a bunch of old, unpatched 3rd party apps!

    Android's security design is an afterthought, unfortunately.
    11-19-19 09:19 PM
  8. bh7171's Avatar
    Do Knox and BlackBerry's hardened Android make any difference in these regards?
    11-20-19 01:10 AM
  9. conite's Avatar

    This is why BYOD is a huge fail, IMO. People should carry whatever phones they like, but work devices just need to be locked down with absolutely no 3rd party apps that aren't approved by IT.
    But BYOD managed by an EMM allows for that.
    11-20-19 01:30 AM
  10. Jake2826's Avatar
    The QNX microkernal that is the basis for BlackBerry 10 is only about 100k lines of code last time I checked. Modern day Linux kernal is more than 14M lines of code last time I checked.

    From a security standpoint, there is no comparison. There are great things about Android, but security is not one of them and never will be. That's why Google already had plans to eventually dump the Android OS. Good security must be inherent in the design of the OS.

    Integrity OS by Green Hills and QNX by BlackBerry are the top dogs when it comes to security. Kaspersky, who is also a leader in security, just released or is about to release their own OS too. We will have to wait a little bit for the literature on that one, but know Kaspersky stuff, I have a feeling it will be serious.
    11-20-19 01:56 AM
  11. Soulstream's Avatar
    For most cases, mobile security is good enough. The thing is, there are very few security vulnerabilities that can be done remotely without any user input. And by user input, I mean users installing apps from untrusted sources or leaving their phones unlocked.

    Also, most security breaches are server-side, because hackers know they can get much more information from a server than trying to hack individual phones. And server-side hacks don't even care what phone you are using.
    app_Developer likes this.
    11-20-19 06:40 AM
  12. Tsepz_GP's Avatar
    Recently, security researchers Checkmarx announced a very serious vulnerability in Android phones that affects hundreds of millions of users. So far, Google and Samsung have admitted that their phones are affected, but the reality is that most other Android phones, including BlackBerry Android, may also be affected. Sometimes we get so used to these announcements that we treat them as background noise, but that's a mistake.

    It's worth noting the way this set of vulnerabilities operates:



    One might ask, "How the Hell can it be so easy to bypass user permissions for something as critical as the camera, microphone, and GPS?!" And, that's a very good question. The answer is that Android has erred on the side of adding features and making things convenient for users to the point that it's simply irrational to place much trust their security model. GPS, camera, and microphone access are about as fundamental to privacy and security as any feature can be on a phone, but, at the same time, users want their phones to operated seamlessly as they create photos and videos and scroll through their media to share them with their contacts and social channels. Rather than make it slow and inconvenient to share media between applications, Android has erred on the side of functionality over security, as a design principle. The result is that readily exploitable vulnerabilities like this are all too common.

    I know from experience that some people on these forums will say that this isn't a big deal. I have nothing to say to those who do not think that the things they do and say while using their phone deserve protection. For those, like me, who think that a HUGE vulnerability like this should not be possible in the first place, I can only say that I believe you're right. But, building in such safeguards would require a completely different set of design principles, with security at the core, than is exhibited by the Android development team.

    For more on this set of vulnerabilities: https://www.checkmarx.com/blog/how-a...android-camera

    A video of the Proof of Concept was posted on YouTube:
    WOOOOOW! This was a quite a scary read and that timeline part is even more concerning!

    Now the issue is how fast can those affected be given a patch/software update to fix this? In Android with all the endless carrier and country customizations and even hardware differences, one phone model like a Galaxy Note10 could take up to 2-3months to all be fully patched globally.

    Have they found anything regarding Apple iOS devices? Either way, if Apple were to affected they can send out an update at once to every device released between 2014-2019 all in one day and be done with it.
    11-20-19 08:56 AM
  13. bb10adopter111's Avatar
    But BYOD managed by an EMM allows for that.
    How, exactly would an EMM solution have helped in this case?

    The personally added app compromised the GPS, Microphone, and Camera. An attacker could monitor the user and record meetings, phone calls, presentations, etc. This is an all you can eat pass to corporate and state espionage, blackmail, and personal revenge.

    If you think that all hackers do is steal data from unprotected systems for economic gain, you're misinformed.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 08:56 AM
  14. Chuck Finley69's Avatar
    How, exactly would an EMM solution have helped in this case?

    The personally added app compromised the GPS, Microphone, and Camera. An attacker could monitor the user and record meetings, phone calls, presentations, etc. This is an all you can eat pass to corporate and state espionage, blackmail, and personal revenge.

    If you think that all hackers do is steal data from unprotected systems for economic gain, you're misinformed.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Wouldn’t EMM solution allow system admins to limit access to installing only approved by company apps. I understand personal device, however can’t EMM lockdown a personal device as if company issued?
    11-20-19 09:09 AM
  15. conite's Avatar
    How, exactly would an EMM solution have helped in this case?

    The personally added app compromised the GPS, Microphone, and Camera. An attacker could monitor the user and record meetings, phone calls, presentations, etc. This is an all you can eat pass to corporate and state espionage, blackmail, and personal revenge.

    If you think that all hackers do is steal data from unprotected systems for economic gain, you're misinformed.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Because all apps can be vetted by the administrator before being whitelisted for download.
    Dunt Dunt Dunt likes this.
    11-20-19 09:12 AM
  16. Dunt Dunt Dunt's Avatar
    How, exactly would an EMM solution have helped in this case?

    The personally added app compromised the GPS, Microphone, and Camera. An attacker could monitor the user and record meetings, phone calls, presentations, etc. This is an all you can eat pass to corporate and state espionage, blackmail, and personal revenge.

    If you think that all hackers do is steal data from unprotected systems for economic gain, you're misinformed.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    "The only thing required for this to work is to have the victim install the rogue app and approve SD storage access permissions."

    UEM that's locked down would not allow a rogue app to be installed on a company phone in the first place.

    Now if it's a BYOD and the UEM is rather open to allow users to do what the want on their own phone... yes it could have been installed. If you are in the habit on installing random apps and approving all their permissions.
    11-20-19 09:21 AM
  17. bb10adopter111's Avatar
    Because all apps can be vetted by the administrator before being whitelisted for download.
    Correct, but most companies allow users to install personal apps on their personal profile. What you're describing is, for all practical purposes, not BYOD, because users can't install their personal apps.

    Also, such a solution does nothing for most organizations, which use either no dedicated EMM or which use Android for Work, with separate work and personal profiles.

    The larger point is that Android's security model for app permissions is fragile and easily compromised, relying on companies and end users to take extraordinary precautions that require thought, budget and technical literacy. With phones being marketed as essential electronic gadgets to all consumers, we have a classic "weakest link" chain of security, which means no security in the majority of cases.

    I'm challenging your bias that modern mobile OSes are "good enough" on security. I believe they are fundamentally untrustable as currently designed and threaten our economic and political stability.

    The optimism of technologists that they can build a market then address the problems is unwarranted. Android is playing catch up on security, but not nearly fast enough.

    My perspective is that this vulnerability is the equivalent of the wings falling off of a new jetliner in its first year of service. It points to a fundamental lack of safety. It's not an event that could conceivably occur in isolation.

    Also, it's lijely that hundreds of millions of Android phones that will never be patched are going to create a boom in illicit surveillance. Any private detective, stalker, jealous ex, corporate or government spy will have access to these tools on demand for years.



    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Invictus0 and Jake2826 like this.
    11-20-19 09:29 AM
  18. bb10adopter111's Avatar
    Do Knox and BlackBerry's hardened Android make any difference in these regards?
    Not if users are allowed to download apps in their personal profile. EMM will protect data in encrypted containers only.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 09:30 AM
  19. bb10adopter111's Avatar
    For most cases, mobile security is good enough. The thing is, there are very few security vulnerabilities that can be done remotely without any user input. And by user input, I mean users installing apps from untrusted sources or leaving their phones unlocked.

    Also, most security breaches are server-side, because hackers know they can get much more information from a server than trying to hack individual phones. And server-side hacks don't even care what phone you are using.
    And how do you think hackers get access to servers? 80% of hacks involve at least one element of social engineering, getting a user to perform a task or compromise their credentials. Websites, apps, and email are the first step in the kill chain.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 09:34 AM
  20. conite's Avatar
    Correct, but most companies allow users to install personal apps on their personal profile. What you're describing is, for all practical purposes, not BYOD, because users can't install their personal apps.

    Also, such a solution does nothing for most organizations, which use either no dedicated EMM or which use Android for Work, with separate work and personal profiles.

    The larger point is that Android's security model for app permissions is fragile and easily compromised, relying on companies and end users to take extraordinary precautions that require thought, budget and technical literacy. With phones being marketed as essential electronic gadgets to all consumers, we have a classic "weakest link" chain of security, which means no security in the majority of cases.

    I'm challenging your bias that modern mobile OSes are "good enough" on security. I believe they are fundamentally untrustable as currently designed and threaten our economic and political stability.

    The optimism of technologists that they can build a market then address the problems is unwarranted. Android is playing catch up on security, but not nearly fast enough.

    My perspective is that this vulnerability is the equivalent of the wings falling off of a new jetliner in its first year of service. It points to a fundamental lack of safety. It's not an event that could conceivably occur in isolation.

    Also, it's lijely that hundreds of millions of Android phones that will never be patched are going to create a boom in illicit surveillance. Any private detective, stalker, jealous ex, corporate or government spy will have access to these tools on demand for years.



    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    Approving apps for corporate use is nothing new. Nor is it an unusual expense.

    Since the corporate data is segregated, it doesn't matter what people install on their personal side.

    Yes, a fully-functioning, proper EMM solution is required, but again, that is not a big ask.
    11-20-19 09:35 AM
  21. bb10adopter111's Avatar
    Approving apps for corporate use is nothing new. Nor is it an unusual expense.

    Since the corporate data is segregated, it doesn't matter what people install on their personal side.

    Yes, a fully-functioning, proper EMM solution is required, but again, that is not a big ask.
    So you agree that employees should not be allowed to install apps for personal use at all in their personal profile? In that case we don't disagree.

    But the premise of BYOD for most companies is that the employee can use a single device for work and personal use and does not need corporate approval to choose a weather app, for example.

    This set of vulnerabilities can be exploited unless the IT team approves EVERY app on both the personal and work profile.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 09:41 AM
  22. conite's Avatar
    So you agree that employees should not be allowed to install apps for personal use at all in their personal profile? In that case we don't disagree.

    But the premise of BYOD for most companies is that the employee can use a single device for work and personal use and does not need corporate approval to choose a weather app, for example.

    This set of vulnerabilities can be exploited unless the IT team approves EVERY app on both the personal and work profile.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    I wrote that it doesn't matter what people do on their personal side on a properly managed device.

    Corporate data is inaccessible.
    TgeekB likes this.
    11-20-19 09:43 AM
  23. bb10adopter111's Avatar
    Also, while I focus on cybersecurity mostly, this is a vector for any private detective hired by a jealous ex, or celebrity-chasing paparazzi to track targets by GPS in real time and gather compromising audio or video recordings.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 09:45 AM
  24. bb10adopter111's Avatar
    I wrote that it doesn't matter what people do on their personal side on a properly managed device.

    Corporate data is inaccessible.
    Unless it's discussed in a meeting, on a phone call, shown in a presentation, or visible on a screen. This set of vulnerabilities uses all those vectors.

    You are narrowing your definition of a data breach to a hacker exploiting a server-side vulnerability and forgetting that the video of a user entering a password at work is often the first step in that attack.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    11-20-19 09:48 AM
  25. conite's Avatar
    Unless it's discussed in a meeting, on a phone call, shown in a presentation, or visible on a screen. This set of vulnerabilities uses all those vectors.

    You are narrowing your definition of a data breach to a hacker exploiting a server-side vulnerability and forgetting that the video of a user entering a password at work is often the first step in that attack.

    From the screen of my trusty Z10 using the exceptional BlackBerry VKB.
    How does that differ from people who carry a personal device with them as well as a corporate-issued device?

    The two scenarios are identical.
    11-20-19 09:52 AM
63 123

Similar Threads

  1. Replies: 5
    Last Post: 11-22-19, 04:04 AM
  2. Arrival's autonomous-ready vehicles will be powered by BlackBerry QNX
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 11-19-19, 03:22 PM
  3. The $200 Kharbon IP67 Wireless Earbuds are just $67 today
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 11-19-19, 11:40 AM
LINK TO POST COPIED TO CLIPBOARD