- August 24, 2016
- Info notes
During DEF CON 24, an annual security conference held in August in Las Vegas, Check Point's mobile threat research team disclosed their findings on a series of serious Android vulnerabilities, collectively dubbed "QuadRooter". Check Point claimed that the vulnerabilities affect 900 million Android devices with Qualcomm chipsets, causing a significant number of related headlines. This note provides an overview of the vulnerability together with a calmer view regarding its severity and reach. Moreover, the latest hype around security vulnerabilities is discussed and recommendations regarding mobile devices' security, and on communicating vulnerabilities, are provided.
What is QuadRooter?
As its name suggests, QuadRooter is a collection of four distinct vulnerabilities, which upon exploitation, can enable an attacker to gain root access to a device. The affected Android devices are the ones built with Qualcomm chipsets. According to Check Point, an attacker can exploit these vulnerabilities by tricking the user to install a malicious application that would automatically trigger privilege escalation and acquire system rights on the device. In that case an attacker can take over the device, which renders the vulnerability serious.
Google addressed three out of the four vulnerabilities in August's 2016 security updates and has routed a fix for the last one in September's update. As already pointed out in a previous note, Android has a fragmentation issue. Software and security updates need to pass through vendors first and then through carriers before they reach end-users' devices, which unfortunately hardly ever happens in a timely manner, if at all. This, leads to a whole heap of devices with different versions of Android.
Serious Vulnerability – Non-trivial Exploitation
Despite the vulnerability being severe, potentially affecting millions of Android devices, exploitation is non-trivial and requires a user to take several steps and ignore basic Android security hygiene to get infected. As AndroidCentral pointed out, QuadRooter requires users to manually install a malicious application outside Google's official application marketplace, Google Play, which is monitored against potentially harmful applications before and after they are published. This means that users have to explicitly enable the option "Unknown Sources" from their devices' security settings to install an application from a third-party source. Moreover, Google confirmed that even in that case, Android's "Verify Apps" feature incorporated in Google Play Services (enabled by default since Android 4.2 – Jellybean, and available as an option in older versions), can still identify and block applications using QuadRooter prior to installation. Thus, users would have to disable "Verify Apps" as well to become infected by QuadRooter.
Hype is not in Favour of Application Security Anymore
Heartbleed was one of the most notable critical vulnerabilities that was given a name besides a standard CVE (CVE-2014-0160) in order to become easily memorable, raise awareness, act as a wake-up call due to its criticality, underscore the importance of application security, and reach the wider public. It was a one-time good example of what Naked Security calls "Bug With An Impressive Name – BWAIN" which served its purpose quite well.
After Heartbleed, a lot of vulnerabilities emerged adopting a name, e.g. Shellshock, ImageTragick, StageFright, to name just a few. The issue is that some vulnerabilities were not-so-serious, e.g. Badlock, but were still branded for the sake of marketing and publicity, creating hype but lacking real value in doing so. This trend of BWAINs led to the over exposure of security vulnerabilities (even minor ones) with impressive and resonant headlines overwhelming the Web, panicking people and urging administrators to patch new and "critical" vulnerabilities increasingly day by day, essentially putting them in a constant "fire-drill" mode without always a sound reason.
This is almost like "The boy who cried wolf", one of Aesop's fables. Overexposing security vulnerabilities and especially minor ones has actually a counter effect in application security. This "noise" from overly hyped, non-critical vulnerabilities can make it difficult for truly critical vulnerabilities to stand out and receive the attention they deserve.
The following measures are good security practices, not only against QuadRooter, but against other vulnerabilities as well. Moreover, most of them (except the ones that specifically target Android) are good security practices for all mobile operating systems.
Install Software and Security Updates. Users are strongly advised to download and install the latest Android software and security updates as soon as they become available.
Disable "Unknown Sources" and Enable "Verify Apps". As previously discussed, Android users should keep the option "Unknown Sources" under their devices' security settings disabled and keep the option "Verify Apps" under their Google Account security settings enabled, at all times.
Use the official application marketplace only. Users should only download applications from Google Play and not from third-party sources, to minimise the risk of installing a malicious application. Users should not sideload applications if they do not originate from a legitimate and authentic source.
Deny random application installation requests. Attackers often try to trick users into installing applications while they are browsing the Internet by prompting them to install a rogue anti-virus or a similar seemingly legitimate application. Users should deny any suspicious or dodgy application installation request.
Review and manage application permissions. Users should carefully review the permissions required by each application prior to installation, e.g. to ensure that the application does not require access to data or functionalities it should not have access to. When applications ask for permissions that seem unusual or unnecessary, users should not proceed with their installation. Newer Android versions (Android 6.0 – Marshmallow or newer) support permission management, thus users can enable/disable the permissions an application can access, affecting the corresponding functionality. Furthermore, developers are encouraged to clearly document the permissions required by their applications to make it easier for users to evaluate them.
Do not root devices or install a customised operating system (OS). Users need to understand the risks of, intentionally or due to a vulnerability rooting their device, i.e. potentially giving an attacker unrestricted access to their device, and refrain from doing so. Additionally, they should not trust or install customised OSes – ROMs created and distributed by unknown sources, unless they are in a position to extensively audit their code or they understand and accept the risks of installing a customised OS.
Use a mobile security solution. Smart devices are powerful computers and they should be treated accordingly. Users should use a reputable mobile security solution and keep it updated as an additional layer for application (all applications are scanned for malware upon installation) and Web security.
Do not use insecure public Wi-Fi networks. Users are strongly advised to only use trusted and protected Wi-Fi networks and avoid using open and insecure public Wi-Fi networks. If there is a need to use a public Wi-Fi network, users should make use of a Virtual Private Network – VPN to avoid Man-in-the-Middle attacks.
Do not over hype vulnerabilities
Security researchers are encouraged to continue the good work of identifying, responsibly disclosing vulnerabilities, and contributing to enhancing application security. Having said that, they should not over communicate and hype vulnerabilities for the sake of marketing and publicity. Instead they should focus on clearly communicating the facts to the concerned parties and the press, for the sake of application security and the general public.
The same applies to conference and security event organisers. It is common practice prior to big security conferences and events that a lot of hype is generated around "novel attacks" and "critical" vulnerabilities. This is done to attract people to the conferences. To be fair, a lot of important information security developments are presented in conferences, but this is not always the case. Conference organisers should focus on accepting good quality papers built on solid research and avoid unnecessary hype to attract audiences.
Press and marketers must be careful on how they present security vulnerabilities. They should refrain from over communicating the issue and try to transfer the right message to the public without amplifying it for marketing purposes. Usually when it comes to information security topics, experienced editors are employed, thus they should be more critical on security researchers' findings and challenge them when an issue is poorly or overly communicated, while focusing on what is really important for the target audience.
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims to give interested readers some background information and recommendations about NIS related topics. The background information and recommendations derived from past experiences and common sense, and should be taken as starting points for discussions on possible courses of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more about the "Info Notes" series (firstname.lastname@example.org).