ZHA - Accelerating roll-out of Security Patches - Zimperium

By:Zuk Avraham
Follow Zuk Avraham (@ihackbanme)Joshua Drake
Follow Joshua Drake (@jduck)Yaniv Karta
Follow Yaniv Karta (@shokoluv)

Reflecting on our collective experiences in the Android ecosystem, especially recent events around Stagefright, we were reminded of several deficiencies in the way that Android security update ecosystem works. To help address these issues, we are pleased to announce Zimperium’s Handset Alliance. The creation of this coalition will serve to support our goal of improving security among all of the various parties involved with Android.

Why ZHA?

Our goal in creating this coalition is to address the following key concerns, which will be very familiar to people who work day-to-day in the smartphone security ecosystem.

We’ve learnt from several device vendors and telecom providers that they would rather receive Android security relevant notifications at the same time as Google. By now, almost everyone is aware of the long tail associated with Android updates. When the Android Security Team supplies patches to their partners, it’s only the beginning of a long process. Many vendors received the patches we submitted in April, only in June. Some vendors said they didn’t receive the patches at all. We believe notifying all relevant personnel in the ecosystem in parallel will help decrease the amount of time it takes for end-users to receive a security update.

According to our understanding of the Android ecosystem, security issues reported to Google are only shared with active partners. While we are not privy to the details, we understand that advisories and updates produced by Google are not provided to non-partners like the makers of Firephone and Blackphone. This gives such vendors zero visibility into such potential threats until the reported issues are made public. By then it could be too late. We invite such vendors to participate as we feel they deserve to be notified at the same time as other directly impacted organizations.

Finally, getting in touch with the correct point of contact at various companies within the Android ecosystem can be difficult. Creating ZHA provides a communications channel with the correct people for every specific security concern — from mobile network operators to Google itself. We encourage researchers to reach out to us if they are having trouble finding the right contact.

Who’s eligible?

We fully intend for ZHA to be more open than the Open Handset Alliance (OHA). As such, we welcome participation from members of security teams directly impacted by Android security issues. Examples include organizations that have a responsibility in securing devices running Android or AOSP-derivatives, mobile network operators that host Android devices, and so on.

To kick off this initiative, we are sharing the full set of patches and proof-of-concept code with this group ahead of our upcoming appearances at Black Hat and DEFCON.

More than 16 of the largest vendors and carriers have already joined ZHA. If you’re interested in joining ZHA, apply here. Please do keep in mind, however, that we are vetting applicants in an effort to ensure that sensitive information disseminated via this alliance stays within organizations actually charged with responding to Android security issues.

What about everyone else?

Zimperium recognizes that improving Android security requires more than just improving communications between vendors. Apart from fast, regular updates, proactive research is the best way to get ahead of emerging threats. By finding and fixing latest vulnerabilities, attackers are left with an ever dwindling arsenal. From source and binary code audits to design review, more eyes means more improvement. To facilitate that goal, we are also launching a new mobile-focused public security mailing list.

Mobile security researchers, security vendors and IR and IH teams are welcome to join our Open Mobile Security Forum here: apply here.

With both of these new initiatives underway, we hope to connect the two communities so that we can push the security of the ecosystem to the next level. We encourage researchers that have specific concerns about security within the Android ecosystem to engage the alliance when they see fit. We will do our best to connect the correct people.

What about Stagefright?

We are working to release both a stand-alone application to test for the presence of known Stagefright vulnerabilities and a video demonstrating a successful attack. Several organizations requested that we delay the release of our working exploit. We agreed, given the gravity of the situation. Unfortunately, because the patches are open-source [1, 2], many researchers are already working on creating an exploit. We believe it’s only a matter of time before we see attacks in the wild (assuming they are not already occurring).

Vulnerabilities such as those discovered in Stagefright can potentially be used in the creation of a network worm. This is especially true for the sixty million devices without Address Space Layout Randomization (ASLR). Assuming that each one of these devices will send around 100 MMS messages per day, we are speaking about six billion MMS messages per day. Such an event could wreak havoc on mobile network infrastructure and spam many users with unwanted MMS messages.

Carrier Tips

In the unfortunate event that someone does develop and release a worm for these vulnerabilities into the wild, we would like to offer the following guidance to mobile network operators. Employing these protective measures could make all the difference.

1. Rate limit the amount of consecutive MMS messages from a single sender.
2. Identify ‘spamming’ characteristics of MMS senders to track unwittingly sent messages (e.g: duplicated messages from one sender to multiple recipients containing the same media)
3. Limit the size of media within MMS messages as larger files may improve the chances of successful exploitation.
4. Inspect and block malicious media files during transcoding.

UPDATE:

1. Zimperium’s Mobile Threat Protection customers are safe from this threat, even without updating the device to the latest Android version. Companies that have reasons to believe that they are under active Stagefright attacks, should contact us ASAP at stagefright-urgent@zimperium.com
2. Zimperium Research Labs (zLABS) will release a video later this week with a Stagefright RCE demonstration. Several large carriers requested that we delay the release of our working exploit. We agreed, given the gravity of the situation. Unfortunately, because the patches are open-source [1, 2], many researchers are already working on creating an exploit. We are planning to release our exploit on August 24th, 2015. However, if an exploit is publicly released or attacks are detected in the wild before that date, we will release ours for testing purposes at that time.
3. Device vendors receive the patches months after they are released. To solve this issue, ZIMPERIUM provides a global platform to assist smartphone vendors and Carriers who wish to receive mobile OS patches from Zimperium directly. Join the Zimperium Handset Alliance through – https://groups.google.com/d/forum/zimperium-handset-alliances (use your vendor/telco email to be accepted to ZHA. Other requests will get automatically rejected). More than 17 of the largest vendors and carriers have already joined ZHA.
4. You can read how to disable auto-fetching MMS on Nexus devices here
5. ZHA partners already received proof-of-concept code that triggers the issues and the full set of Stagefright patches. For carrier specific tips – check this post
6. Josh will present the full details of his research at Black Hat on August 5th or DEFCON on August 7th. We invite you to join us!