‘StageFright’ in Android

I wrote this piece on the susceptibility of Android to the ‘StageFright’ hack.  It was published in the Irish Times on August 3rd 2015.

Worldwide shipments of smartphones have just had a stellar quarter. According to research firm IDC, global shipments between April and June reached 337 million units, up nearly 12% from the same quarter last year.

The market is led by Samsung at 22%, and Apple at 14%. Despite only 14% of the global revenues, Apple captures a staggering 90% or more of the global smartphone profits, illustrating its strength as a premium brand. In contrast, the quarterly profits at Samsung are now in their fifth consecutive decline, despite having two of the best Android phones on the market. Korea’s LG has seen its profits drop 60% in its most recent quarter, citing falling demand for its premium smartphones. Taiwan’s HTC has just made a quarterly loss of -26% (of revenues, after tax) and may have become an acquisition target.

The smartphone market now has two main themes. The first is that Apple’s brand is dominating the smartphone market financials, putting the remainder of the market under the severe pressure. The second is that Apple in fact only has 14% of the market by shipments, and the market leader Samsung likewise only just 22%: the remaining 64% of shipments are from over 200 other smartphone vendors worldwide, chiefly Android based. There are now some 950 million Android devices in use worldwide. Given the poor profits in the smartphone market, there clearly will be market turmoil with mergers and acquisitions, and outright business failures.

In the last week, the global Android market now has a new and extremely dangerous threat. What if a criminal hacker could interfere with everything on your phone – your contact list, calendar appointments past and present, patterns of physical locations, private notes, internet browsing trails, apps usages, photos, and so on – solely by knowing your mobile number? The only trace of a fully weaponised attack will be a notification that you received a text message (actually a multimedia message – MMS – containing a video). Completely unlike other hacking attacks, you do not need to actually open the message, or read or watch it: by the time you’ve seen just the notification on your screen, the damage will have already be done. In fact, the fraudulent message may already have deleted itself. If you just ignore the message notification as you might do for any other hacking attack, nevertheless the damage is done. You may even have been asleep overnight when the message arrived on your phone and silently did its work.

Joshua Drake, a VP at Zimperium zLabs, discovered a critical flaw in Google’s Android software last April, in the ‘StageFright’ subsystem of Android that displays media content such as videos. The flaw has been present since May 2010, when version 2.2 of Android was released (the most current version is now 5.1). As is industry practice, Drake offered a 90-day embargo with Google, and supplied Google with patch repairs to the code, so giving Google headway to ship fixes to customers. He will release details of the code to the public at the industry ‘Black Hat’ event on August 5th in Las Vegas, thus encouraging vendors to make repairs but also alerting hackers worldwide to the flaw.

Over 200 vendors, who have over 950 million devices in active daily use, are highly suspect to StageFright – smartphones, tablets and other devices using Android. Typically, only the newer devices actively receive patches and updates: older devices, going way back to May 2010, may never be updated. Each vendor has its own process to release patches to its products, and some vendors have to negotiate with mobile phone operators to push through patches to consumers. It is almost impossible for the myriad of vendors to synchronise their businesses to simultaneously repair broken products. However if any single vendor does release a patch before others, an opportunity then opens for hackers to reverse engineer the patch.

I wrote about the treacherous ’HeartBleed’ vulnerability in websites, and how it came about, in the May 12th 2014 edition of this paper. The StageFright flaw is considerably more dangerous, given the nature of the highly fragmented Android market. In a different industry, vehicle manufacturer Fiat Chrysler has just issued a recall of 1.4 million cars due to a flaw by which a hacker can wirelessly attack the driving control electronics, and received a US$105M fine from the US National Highway Traffic Safety Administration for its troubles. With 950 million devices in active daily use, from not just one but over 200 vendors worldwide, StageFright is altogether a different scale of challenge.

Google acquired Android Inc in July 2005 in a strategic move to compete in the mobile phone market. The first Android smartphone – the HTC Dream – was released in October 2008.  Since then Google has aggressively pursued a multiple vendor strategy to promote Android to global consumers through as many channels as possible,  and so try to place Apple under pressure.   Whilst this has been successful in market share and saturation, nevertheless Apple still owns the market profits.  The vulnerability and fragility of the Google strategy to a single engineering flaw is now unfortunately apparent.

Google have rewarded Drake US$1,337 for bringing the StageFright flaw to their attention.


About chrisjhorn

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s