Tuesday, August 4, 2015

See the Man With the StageFright

   I always liked the way Rick Danko sang that song, and I saw him perform it a few times.

   But now we have a new StageFright, a vulnerability in the base android phone operating system.  This is an equal-opportunity vulnerability effecting all android phones (nearly 1 billion!).  Like many new vulnerabilities discovered in the past year, this one has a name and a logo.

   The issue is a "feature" in the way androids pre-processes MMS multi-media messages (pictures, videos) sent via your text messaging app.  That could be the stock messaging app, a custom messaging app from your phone manufacturer or data provider, or even Google Hangouts.

   Here's why the vulnerability is so bad... you don't have to open the message!  You don't even have to know that you received the message.  All it takes is for your phone to automatically download a malicious message in the background - which is exactly what it does - for your phone to be owned!  That's a problem.

   At the time I wrote this column, there seems to be a fix only for Google-branded phones, and that's a very small percentage of all phones.  You can check with your carrier to find out when you'll get a patch.

   Meanwhile, there is a work-around.  You need to configure your messaging app to not automatically download MMS messages.

  1. Open you rmessaging app.
  2. Go to Settings
  3. Select: Multimedia messages
  4. un-select Auto Retrieve
   Now, when someone tries to send you a message with multi-media content, you'll see that the message arrived, but the photo or video will not be downloaded.  Only tap to download if the message came from a trusted source.

   Of course, you should also keep your phone patched by applying all phone and app updates.  And... get rid of any apps you don't need.

   Here are some references for more info.

No comments:

Post a Comment