64

I was just informed of the StageFright vulnerability in Android devices.

A specially crafted MMS message can gain access to data on the phone; so presumably it's a buffer overflow with subsequent privilege escalation.

Details have not yet been disclosed, but the practical question is: how can common users defend against an attack using this vulnerability?

It seems that not opening MMS messages would be the most important part.
Are there other steps that end users should take to prevent themselves from this vulnerability?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
  • I'm asking not just for myself, but also for what advice I can give to my friends who are not ICT professionals. – S.L. Barth Jul 28 '15 at 08:59
  • 5
    I'm guessing an answer of "Use iOS or Windows phone" isn't what you're looking for here :op – Rory McCune Jul 28 '15 at 09:02
  • 33
    @RоryMcCune Using a Windows Phone is never... ever the answer anyone is looking for. – RoraΖ Jul 28 '15 at 11:17
  • 1
    Install TextSecure, it [isn't vulnerable](https://github.com/WhisperSystems/TextSecure/issues/3817) to this attack. As an added bonus, you can get end-to-end encrypted texts. – mikeazo Jul 29 '15 at 02:57

4 Answers4

64

You should disable the automated downloading of media files through SMS/MMS, there are multiple services that use this. Depending on which you use, you should disable this in the settings per service you use.

For google messenger:

Google messenger

More can be found here.

Besides that, don't open any messages containing multimedia files from someone you don't know or trust as you can still download the file manually and trigger the file that way.

Note that the SMS/MMS part is not the real threat here, it's just a way of getting malicious media files onto your phone and getting them to execute without user input. The actual threat is in the way media files are being processed. So receiving & viewing a media file through other channels will be just as dangerous.

netjeff
  • 103
  • 1
BadSkillz
  • 4,404
  • 24
  • 29
  • Yes, this is the kind of thing I'm looking for! – S.L. Barth Jul 28 '15 at 08:59
  • 28
    This is a good answer, but perhaps worth noting that MMS is just the main vector for exploitation that's been noted so far. the problem with this issue is that it's in an underlying lib. that may be used in a variety of apps, so without patching the lib itself there is always the risk that it'll pop back up in another program... – Rory McCune Jul 28 '15 at 09:04
  • 1
    I completely agree with @RоryMcCune, the focus should be on updating the OS as soon as possible to patch the actual library. I don't know the current state of patch distribution per vendor, but I would guess at this stage (when this vulnerability is talked about in mainstream media) all major vendors should have rolled out patches already. – Purefan Jul 28 '15 at 09:08
  • 4
    True, the MMS part is just to get the file downloaded and processed without the users knowledge. The true vulnerability lies in the way multimedia file are being processed, so copying a multimedia file though USB would be just as dangerous. – BadSkillz Jul 28 '15 at 09:08
  • 13
    @Purefan I'd agree that they *should* have, unfortunately as this goes back to Android 2.2 and some handset manufacturers drop support for devices in a year (or even less) I'm afraid that a lot of handsets will be permanently vulnerable to this issue... – Rory McCune Jul 28 '15 at 09:13
  • 8
    If you have Cyanogenmod, [you are either already patched or will be patched shortly](https://plus.google.com/+CyanogenMod/posts/7iuX21Tz7n8). – Michael Hampton Jul 28 '15 at 14:39
  • 3
    @MichaelHampton As Rory McCune observed [here](http://security.stackexchange.com/questions/95165/how-exactly-does-the-stagefright-vulnerability-work-on-android#comment162224_95168), the person committing the changes is the same person who disclosed the vulnerability. I guess CyanogenMod users are the safest for now! – S.L. Barth Jul 28 '15 at 14:58
  • 2
    I disagree with the part of "from someone you don't know". As far as security is concerned, if an attacker got hold of an acquitance's phone, he can send the message passing as him. – Mindwin Jul 28 '15 at 21:53
  • Hi @BadSkillz, I use both the default SMS messenger and the Google Hangouts app. Should the setting be off in both. If yes, please add this detail in your answer. – user568109 Jul 29 '15 at 07:44
  • @user568109 I've added the info to the answer, thanks for the heads-up. – BadSkillz Jul 29 '15 at 08:12
  • Within the Hangouts app, click the hamburger menu -> settings -> SMS -> uncheck "Auto retrieve MMS". – zrneely Jul 29 '15 at 16:04
  • @BadSkillz did you use Jake Wharton's Telecine app? – Jared Burrows Jul 29 '15 at 22:43
8

For Android 4.1 "Jelly Bean" with the regular "Messages" app:

Menu > Settings > Multimedia messages (MMS) > Auto-retrieve -> uncheck

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • 2
    This also works for my Android 2.2.2 (don't ask why I still use it). That said, the vulnerability is not in the MMS layer, it's much lower down in the 3GPP video parser (see [this answer](http://security.stackexchange.com/a/95168/61443)) and it's unclear to me right now how many other apps also use this library, youtube? snapchat? – Mike Ounsworth Jul 28 '15 at 19:20
  • Just did the same for Android 5.0.2 in the Messages app. – MC10 Jul 28 '15 at 19:38
5

Rooting the phone and installing a stock non-carrier ROM or an up-to-date third-party ROM can be a solution, though the new problem is that why should you trust some ROM posted by a pseudonymous user on a forum (that can be problematic especially in enterprise environments).

A long term solution would be to buy devices with the firmware directly supplied by its manufacturer and not by a stupid carrier. After all, no ISPs ever approve Windows Updates (and everything works fine), so why should it be any different on mobile ?

Anonymous
  • 51
  • 1
  • 2
    Apparently CyanogenMod is now patched, and since it's Open Source users can inspect the source code. – S.L. Barth Jul 28 '15 at 19:18
  • 6
    I'm in doubt about the second part of your answer. All software may contain vulnerabilities, regardless of who created it. The problem with Android is that patches must go from Google to the end users through the manufacturers, as [Bruce Schneier points out](https://www.schneier.com/blog/archives/2015/07/stagefright_vul.html). – S.L. Barth Jul 28 '15 at 19:22
  • 1
    @S.L.Barth It's often even worse than that. If you get a phone on a contract, some carriers customise the firmware, and will only update when the carrier releases a patched version of the customised firmware - which may be some time after the manufacturer, and in turn some time after Google/AOSP. – James_pic Jul 29 '15 at 10:37
4

As many people already wrote in comments, this is not about MMS, but about a bug in the multimedia library, so disabling MMS will only help to avoid your phone being hacked, when you do not use it, but keeps it turned on and connected to the cellular network.

If you use your phone, you could still be hacked through web browser or ANY OTHER APP, that works with multimedia.

I provide a full answer here: Stagefright security issue: what can a regular user do to mitigate the issue without a patch? on android.stackexchange.com since this question is a duplicate of that one.

Answering the original question, there are 3 ways for common user (if common means that user is not able to root his phone and/or install CyanogenMod on his phone) to protect:

1) Disable auto-retrieve of MMS, install Firefox 38+, and maybe MX player (and disable use of stagefright there). Delete all other applications on the phone including Facebook, Twitter, E-mail, etc. wherever any multimedia content could be. If it is not possible to delete, for example, an E-mail app, just delete all accounts there, so that nothing will be downloaded from the Internet. Now it is possible to use the phone for web browsing, calls and SMS.

2) Turn off the phone, and buy another Android phone with stock Android from Google (e.g. Nexus)

3) Install update if it is available. If not, please select from options 1 or 2.

Community
  • 1
Andrey Sapegin
  • 260
  • 1
  • 2
  • 16
  • 1
    "*If you use your phone, you could still be hacked through web browser or ANY OTHER APP, that works with multimedia.*" -- yes, this is what people are not focusing at. – Firelord Dec 10 '15 at 13:12