Category Archives: Security

Stagefright Gives Android Users Something to Fright About

A few months ago people were talking about the latest bug  in iOS that would cause the phone to crash if someone sent a specific set of characters via a text message (which has been fixed).  Now it appears that it is Android’s turn.  This new bug is being called Stagefright which allows an attacker to remotely execute code on another person’s Android device that they received via MMS messages.

The exploit was publicly announced on July 27, 2015 by the security firm Zimperium.  Researchers say that the bug originated in a core component called “Stagefright” which is a library that is used to play various multimedia formats that are integral in displaying the contents included in MMS messages.  The reason why this issue is so serious is because that it can execute on a user’s device without you actually doing anything.

Furthermore, this bug has been in the Android operating system since version 2.2 which means that roughly 1 billion devices can be potentially infected with malware due to this flaw.  While Google and Samsung are working hard to push out a security fix to ultimately patch this bug, Zimperium has released an app that can be installed on your device to check to see if your Android device has been infected.

If you want to learn more about this bug, watch the video below which demonstrates the Stagefright bug:

 

Why Your Car Is Insecure

You may not know this, but most of you drove into work today in a computer.  Don’t believe me?  Oh, maybe because you commonly refer to it as your car.  For the past 40 years car manufacturers have been making cars with computers that typically are located in proximity to the automobiles engine.  The on-board computer controls many things including fuel injection, the anti-lock braking system (ABS), gear shifting, and diagnostics (you know, the infamous check engine light) to name a few.

However over the past decade manufacturers have started to add more smarts into the cars, specifically to the entertainment system.  Bluetooth, iPod and USB connectors, as well as WiFi all add the ability to connect 3rd party devices to your car.  As consumers we have taken all of these new features for granted but now we are going to need to rethink these capabilities because they are being used also as attack vectors for hackers.

Over the past year more and more reports have been surfacing regarding groups of people who have been able to successfully hack into the car’s computer and expose some serious exploits.  Last month Chrysler recalled 1.4 million of Dodge Rams, Vipers, Durangos, Chargers and Jeeps due to a flaw in their UConnect entertainment system which could allow an attacker to gain control of critical functions such as braking, steering, speed control, and the transmission.  Then this week Tesla Model S cars pushed out a patch to a flaw that could allow hackers to take control of the vehicle (The details of this hack will be announced during Def Con).  I am pretty sure that we will be hearing more car hacks relating to other car makers in the up coming months too.

The major problem is that there is a design flaw in the how the components in the car connect to the computer.  They use a standard protocol called CAN bus which is similar to the internal bus in typical computers.  Car manufacturers say that the components are “firewalled” from the entertainment system but clearly this isn’t enough.  They need to go back to the drawing board and physically separate the entertainment system from the CAN bus and this will prevent these types of attacks from happening in future model cars.  But there is no word yet whether or not manufacturers are going to be taking this route.  For now if you get a recall letter for your car you should always take it seriously and get your car fixed, regardless of the reason.