Hey there,
as I'm sure some of you are aware, there has been a rather big security problem concerning WPA2 -> https://www.krackattacks.com/
Also this
Does anybody know Sony's stance on this?
panecondoin said:
Hey there,
as I'm sure some of you are aware, there has been a rather big security problem concerning WPA2 -> https://www.krackattacks.com/
Also this
Does anybody know Sony's stance on this?
Click to expand...
Click to collapse
Our devices are probably vulnerable,
as I read it from the news articles - if you have a patched router you're covered (well, when is that even the case ?), but you can also close the door with updated clients (Android phones !).
In essence: if only one side is patched - the connection is secure
so with recent Android "Stock" ROMs the security is and can be compromised (reading WiFi traffic, injecting HTML stuff and adding potentially malicious code to your browsing data)
That means:
NO Online Banking or Shopping Online via WLAN/WiFi
I'm pretty sure Sony will provide an update to "patch" the system up (updating the components affected)
If they'll stay with latest ROM version (32.4.A.1.54) and provide no further updates - it shall backfire spectactularly
Thanks for the links
Thanks @zacharias.maladroit, for providing the appropriate consequences that users should be aware of. Lets hope for the best and see what Sony has in storein this regard.
Related
Nice article to read.. Just thought I would share.. MODS PLEASE DELETE IN CASE THIS IS A DUPLICATE.
http://news.yahoo.com/theres-zombie-...013019842.html
There's a Zombie-like Security Flaw in Almost Every Android Phone
LikeDislike
Abby Ohlheiser 56 minutes ago
Technology & Electronics
.
View gallery
There's a Zombie-like Security Flaw in Almost Every Android Phone
Almost every Android phone has a big, gaping security weakness, according to the security startup who discovered the vulnerability. Essentially, according to BlueBox, almost every Android phone made in the past four years (or, since Android "Donut," version 1.6) is just a few steps away from becoming a virtual George Romero film, thanks to a weakness that can "turn any legitimate application into a malicious Trojan."
While news of a security vulnerability in Android might not exactly be surprising to users, the scope of the vulnerability does give one pause: "99 percent" of Android mobiles, or just under 900 million phones, are potentially vulnerable, according to the company. All hackers have to do to get in is modify an existing, legitimate app, which they're apparently able to do without breaking the application's security signature. Then, distribute the app and convince users to install it.
Google, who hasn't commented on the vulnerability yet, has known about the weakness since February, and they've already patched the Samsung Galaxy S4, according to CIO. And they've also made it impossible for the malicious apps to to install through Google Play. But the evil apps could still get onto a device via email, a third-party store, or basically any website. Here's the worst-case scenario for exploitation of the vulnerability, or what could potentially happen to an infected phone accessed via an application developed by a device manufacturer, which generally come with elevated access, according to BlueBox:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
The company recommends users of basically every Android phone double check the source of any apps they install, keep their devices updated, and take their own precautions to protect their data. But as TechCrunch notes, Android users really should be doing this anyway, as the devices tend to come with a " general low-level risk" from malware. That risk, however, is elevated for users who venture outside of the Google Play store for their apps.
So while the actual impact of the vulnerability is not known, neither is the timeline for fixing it. Manufacturers will have to release their own patches for the problem in order to fix it, something that happens notoriously slowly among Android devices.
Mr_Jay_jay said:
/snip
Click to expand...
Click to collapse
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Rirere said:
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Click to expand...
Click to collapse
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
This exploit will likely only ever affect users that by default use devices that do not have Google support. Many of these are distributed among 3rd world nations and are typically a hot bed of illicit activities anyways. Of the first worlders that would be affected, it would be those using black market apps without knowing the risks involved in doing so. Most black market users are knowledgeable enough to know to check their sources and compare file sizes before installing apk's.
Also the notion that 99% of devices being affected has nothing with the OS being flawed (Google reportedly fixed the flaw in March), but rather the OEMs being slow in pushing out (or not pushing out at all) the patched hole.
Also I would be weary of a security outfit that has been around since 'mid-2012' and continues to pride themselves as a start-up mobile security firm.
espionage724 said:
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
Click to expand...
Click to collapse
Granted, but the Play Store reduces the attack surface by a considerable margin. Right now, I consider non-Google blessed Android to be something akin to stock Windows 7 with Defender and Firewall turned off-- you can do just about anything with it, but you're running at a risk by not deploying some vendor-based add-ons (in this case, choosing to use the unit available).
I do understand that many devices sell outside of the Google world, before anyone jumps on me, but it doesn't change how the vulnerabilities play out.
This boils down to:
If users install a virus then they get a virus!!! This affects all Android phones!!!!!!!! Oh Nos!
Sucks that this is being patched. Guess there will be no more modding games for me.
Wanted to start a thread on this subject as I have yet to see anything regarding AfW anywhere in these threads.
Does anyone have any information on how the o/s will handle securely wrapping applications and how the o/s creates a second partition/perimeter that is secured from the personal side?
Google Android For Work if you haven't heard about it.
I'm wondering if a rooted device would be able to trick the MDM protected work perimeter to think it has a secure bootrom, recovery partition and valid o/s?
Anyone have a picture of what the filesystem difference looks like?
There's such little information on this, yet it was released with 5.0 lollipop and I'm sure if we reverse engineer the way it functions we could create our own pki enabled MDM open source solution. This would allow end users to freely use there phone without the fear of being snooped on by viruses, corporations for marketing purposes, etc. Overall an open source Mobile Iron solution is what I'm getting to.
Let me know what you guys think.
I'm a major in network security at the moment, and as I've been studying ROM development and the ways that OTAs work, I've come across a method of forcing an OTA that I don't believe I've heard done before. That is, spoofing a web location on a network, and placing a system image in the location. This can be achieved using a typical man-in-middle exploit(of course legally, and under a controlled/private environment).
What I'm curious to however is whether or not Android does a more extensive location check; e.g. if Android checks for SSL/Verification on the location before initiating a download? Would this only work with a system OTA image? What are possible system implications that could prevent this from being achieved?
Thanks in advanced for any answers you may have. I'll be posting further papers and research if I find definitive answers and methods.
Reserved.
Bump reason: I'd really like to know the answer. I haven't been able to find anything conclusive.
You are better off looking in the dedicated security section.
zelendel said:
You are better off looking in the dedicated security section.
Click to expand...
Click to collapse
Sorry, I hadn't realised that this would fit in their. Would it be possible to move it there by any chance?
have you found a way to bypass the need to sign with google's or the oem's keys?
Hi all
We use a few rugged android devices at work as glorified GPS and mapping units. They work great however today I found out that our main data collection service is updating their android application to use TLSv1.2. From my research it looks like all android devices beyond API level 16 (Jellybean) CAN support TLSv1.2, however it is not turned on by default (whatever that means) before API level 20/21 (KitKat wearable/Lollipop). We have devices running 4.1.1, 4.2.1 and 4.4.4.
There is literally zero chance of getting these devices upgraded to Lollipop. They are made by Getac and Aspera - both small companies. Anyone that uses rugged devices knows that you trade in your access to updates and custom roms etc when you opt for one. They are too much of a niche product to attract developers and the manufactures just want a stable device, not the latest and greatest. They also generally run lower end specifications, so updating to newer OS is not always desired. We have a Getac z710 (http://us.getac.com/tablets/Z710/features.html), one Aspera R5 (http://asperamobile.com/products/aspera-r5/) and three Aspera R6s (http://asperamobile.com/products/aspera-r6/). I am not even sure if they have root solutions available for them...
So does anyone out there with a kind heart and some knowledge want to help see if there is anything that can be done on my end to turn on support for TLSv1.2? Here is some stuff I found so far, but most of it seems like it needs to be done on the server side, not client side.
http://stackoverflow.com/questions/24357863/making-sslengine-use-tlsv1-2-on-android-4-4-2
http://www.jordanrejaud.com/android/2015/09/19/android-tls-ssl-engine.html
None of these devices are rooted, so everything needs to be done via adb, or i need a root solution...
bump...
Did you ever find a solution for this? I'm trying looking into this myself but haven't found anything that would modify it for the whole OS, only something that would require modifying the source code for an app.
I have the same problem/question:
GetBackersBH said:
Did you ever find a solution for this? I'm trying looking into this myself but haven't found anything that would modify it for the whole OS, only something that would require modifying the source code for an app.
Click to expand...
Click to collapse
Is there a known solution that would modify the whole OS, not just an app through a code? I would need TLS 1.2 permanently enabled on Android 4.4.2 KitKat. The phone is rooted, BTW.
Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
I too would be interested to hear about anyones experience regarding this OS
johndoe118 said:
Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
Click to expand...
Click to collapse
I'm interested in this ROM too. I have a Pixel 3a. I haven't flashed it yet because I'm trying to find out what people's experiences are first. There doesn't seem to be a lot of posts about it. Did you ever flash it? Also, what do you mean by "hardcoded Google domains"?
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi. That was one reason why I lost interest in the ROM. The other was the limited device support and missing root access. I absolutely need access to the iptables. As a one-man show, the ROM can be adjusted at any time.
johndoe118 said:
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi.
Click to expand...
Click to collapse
Do you have some kind of reference for that? I'm using it now and would really like some proof to bring up in their subreddit as a WTF.
graphene seems great, no root does not
I don't want the bootloader locked.
I want Magisk extensions
I need root for LP _only_ to remove ads. Is there something like LP that allows (interactively) disabling app activities?
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
GrapheneOS leaves these set to the standard four URLs to blend into the crowd of billions of other Android devices with and without Google Mobile Services performing the same empty GET requests. For privacy reasons, it isn't desirable to stand out from the crowd and changing these URLs or even disabling the feature will likely reduce your privacy by giving your device a more unique fingerprint. GrapheneOS aims to appear like any other common mobile device on the network.
HTTPS: https://www.google.com/generate_204
HTTP: http://connectivitycheck.gstatic.com/generate_204
HTTP fallback: http://www.google.com/gen_204
HTTP other fallback: http://play.googleapis.com/generate_204
Click to expand...
Click to collapse
nay_ said:
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
Click to expand...
Click to collapse
Thanks, right from there
I have Graphene OS taimen-factory-2020.07.06.20.zip on my Pixel 2 XL.Under "System update settings" is "Check for updates" but nothing happens if I tap.Only the field becomes darker.Has someone experience with this?
Update with adb sideloading to 2020.08.03.22 works.
OTA update from 2020.08.03.22 to 2020.08.07.01 likewise.
I'm personally not a fan of these kinds of projects, they aren't really all that 'secure', you're still using proprietary vendor blobs and such
help please
Hello! In the description
I pointed out that you can change servers just not through the GUI.
Has anyone tried this?
```
Providing a toggle in the Settings app for using connectivitycheck.grapheneos.org as an alternative is planned. The option to blend into the crowd with the standard URLs is important and must remain supported for people who need to be able to blend in rather than getting the nice feeling that comes from using GrapheneOS servers. It's possible to use connectivitycheck.grapheneos.org already, but not via the GUI.
```
captive portal leak + location services data leak
Few points:
1. General idea is that privacy/security oriented OS (as graphene is advertised) should limit network activity as much as possible, and not ping google using captive portal service every few seconds providing perfect IP-based location to google
It is possible to switch it off, but should be off by default
2. Connections of android location services to get GPS constellations were shown before to send sim card imsi and connected cellular tower id to provider (qualcom/google):
"blog.wirelessmoves.com/2014/08/supl-reveals-my-identity-and-location-to-google.html"
Graphene still allows those connections (check their FAQ on website)
W/O root no way to switch this off. Even some devices ignore config files and still leak data (on the level of cellular modem most probably)
3. Android services make other weird connections. Example: AOSP dialler app is querying phone numbers against online database leaking all contacts to google. How was this taken care of in graphene? Are all AOSP services/apps security-verified to not leak any data?
w/o root no way to install afwall to block everything
Is graphene built-in firewall capable of blocking system services from network access?