Huge Security Hole In Recent Samsung Devices 153
An anonymous reader writes "A huge security hole has been discovered in recent Samsung devices including phones like the Galaxy S2 and S3. It is possible for every user to obtain root due to a custom faulty memory device created by Samsung." The problem affects phones with the Exynos System-on-Chip.
Great (Score:1, Offtopic)
Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T
Re: (Score:1)
Billy Gates wrote:
Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T
You still prefer that one over your Lumia 920?
Re:Great (Score:4, Informative)
Google, this is an easy thing to do. I can't guarantee this site but: https://gurde.com/2012/08/how-to-android-jelly-bean-4-1-1-on-galaxy-s-i9000/ [gurde.com] is the first result I got.
Re: (Score:2)
The SGS is pretty much brick proof, even if you screw up the simple root instructions.
Currently running over clocked (Semaphore) CM 10 JVT with no problems.
Re: (Score:3)
The SGS is pretty much brick proof, even if you screw up the simple root instructions.
Currently running over clocked (Semaphore) CM 10 JVT with no problems.
Brick proof until the USB connector dies part way through an update. Jjust had that happen, brand new SGS, started to root it, failed, couldn't connect on USB again. Took it back and got a replacement though. I did read somewhere that the USB connectors on these can be dodgy.
Re: (Score:2)
Why not leave AT&T then?
Re: (Score:1)
Maybe yours is better?
That's very off-topic but I don't even own a smartphone :)
I think they are expensive. I likely should get a used one either simple and cheap or one of the latest ones but cheaper than retail (and keep it up to date for longer, as I see things phones like the Galaxy Gio haven't fallen much or at all in price the last 1-1.5 years so getting an old phone and hope for something better to show up for a good price somewhat sooner may not be a path to success.)
I've thought about getting a used S III and was rather
Re: (Score:2)
I know I am probably going to be modded down into an oblivion for this reply, but it is just my bad experience with mine and my frustrations over the years. Maybe yours is better?
The two are related. The Galaxy S was one of the most popular non-iPhones on the market, and for good reason. It was quite capable, competitively priced and very feature rich.
It also is incredibly trivial to install updated ROMs on it and it is typically one of the first phones outside the Nexus series to get a port of any new version of Android. If you want to see what the thing is really capable of head to the XDA-developers forums and lurk a bit. I'm currently running the latest Jelly Bean ROM with many
Re: (Score:2, Informative)
That phone has been rootable for ages. It runs Ice Cream Sandwich and even Jellybean quite smoothly with the proper ROM/kernel.
It's a feature !! (Score:5, Insightful)
Instead of considering that "security hole" a "security hole", consider it as a "feature".
Just root the damn thing and unlock it !!
Re: (Score:2)
Since I have an iPhone 5 now I'm not too worried about it, but I still like tinkering. Call me weird, but I like both ios and android, both have pros and cons. I'm getting an android tablet for xmas this year.
Re: (Score:2)
Once you root, you need to disable all the built-in shitty apps. I wrote a script to mkdir /system/app/disabled and then mv /system/app/${shittyapp}/ to /system/app/disabled/
Easy to regex search/replace that disable.sh script to undo it (enable.sh) when you want to un-root so you can OTA upgrade (if you so choose).
Script disables I500_BingSearchAndroid_07152010.apk so I can install EnhancedGoogleSearchProvider.apk to "de-Bing".
I'm still on stock Fascinate 2.2 (didn't see the point of 2.3 on this phone, plus
Re: (Score:2)
Re: (Score:2)
I rooted mine 2 years ago, while at a conference. What's been stopping you? CM10 is out for it, and I installed that last week. Of course, Friday my Nexus 4 arrived, so I don't need to touch my SGS1 ever again...
Re: (Score:3)
Galaxy S1 is easy to root! You have to be careful and follow instructions, but it's easy. http://wiki.cyanogenmod.org/wiki/Samsung_Galaxy_S [cyanogenmod.org]
Also Samsung has it's own update process called Kies, but it won't give you root: http://pages.samsung.com/ca/androidupgrade/English/ [samsung.com]
I love my Samsung Galaxy S
Re:Great (Score:4, Informative)
Kies is the biggest pile of bloated crapware since Norton.
Re: (Score:2)
Does that mean I can finally root and upgrade my crappy Galaxy S1 with Android 2.1 yet? Fucking AT&T
Finally? There was no reason to wait, you could have rooted your Captivate last year I bet.
With Samsung Kies, you should be able to upgrade your AT&T Captivate all the way to 4.0. That being said, you should root to get Android 4.2 at least (4.0 may be laggy for you, that's why I'm recommending that you root your phone instead, and just jump all the way to whatever is currently available without going through Samsung Kies).
Re: (Score:2)
Can you please provide a reference to an official Samsung ICS image for the Galaxy S1? Other than that, you'll find it pretty much impossible to upgrade it to 4.0 using Kies.
Re: (Score:3)
Installing anything with Kies is just torturing yourself. A Galaxy S1 runs Jelly Bean quite nicely, and it runs faster than stock 2.1 I find. The next phone I buy will be checked for Cyanogen support before I buy it.
Re: (Score:1)
DRM software on it wont let me sync it to any computer. I tried that route.
Re: (Score:2)
You should be able to put it into a raw download (hold Vol up + Vol down in off state while plugging uSB into it) mode and use Heimdall, where you can flash a complete image over of it. Poke around for it, it's a fairly easy phone to root, and You'll be much happier with JB on it.
Re:Great (Score:5, Funny)
You should be able to put it into a raw download (hold Vol up + Vol down in off state while plugging uSB into it) mode and use Heimdall, where you can flash a complete image over of it. Poke around for it, it's a fairly easy phone to root, and You'll be much happier with JB on it.
I want to like my iPhone, but Android is just SO OPEN.
Re: (Score:2)
Re: (Score:1)
I still love the phone though don't get me wrong it's pretty capable but it's quite sickening the way Samsung ignores it just because the S3 came a few weeks later.
Not LTE GS3 (Score:5, Informative)
This only effects the international S3, the US LTE version uses a Snapdragon CPU.
Re: (Score:2)
How about the international S3 LTE? - Mine is model GT-I9305
Re:Not LTE GS3 (Score:4, Informative)
Yes, the I9305 is affected.
The list below is all models affected by this, which includes the international GS2 variant, as well as the Note 1 and 2, Galaxy Tab Plus, and Note 10.1.
GT-I9100
GT-I9300
GT-I9305
GT-N7000
GT-N7100
GT-N7105
SGH-I317
SCH-I605
GT-P6210
GT-N8000
GT-N8010
GT-N8013
GT-N8020
It does not affect the Snapdragon-based I747 (AT&T, Rogers, Bell and other major Canadian carriers) nor the T999 (T-mobile, as well as Canadian AWS carriers like Wind, Mobilicity, and Videotron)
Root (Score:2, Insightful)
I consider someone *else* running as root a security hole. As long as you need physical access, this is a feature. A phone that will not let you install what you want is broken.
Re:Root (Score:5, Informative)
Re:Root (Score:4, Insightful)
That's definitely a problem. The way the summary is worded makes it sound like a user having root is a security exploit ... something most hardware and OS manufacturers seem to believe these days. I may have to break tradition and read the article.
Re:Root (Score:5, Informative)
Looks like someone has a quick fix out. It's an app that sets the perms on the file properly, but it does cause problems with the camera on the S3. The app lets you toggle the permissions on and off so you can still use your camera is you wish. I haven't tried it as I don't have a phone with the hole, but teh XDA guys are pretty reputable: Here it is. [xda-developers.com] Certainly can't complain about the open source community on something like this, although it would have been nice if he reported it to Samsung a little in advance of the release of the problem.
Re: (Score:3, Interesting)
"although it would have been nice if he reported it to Samsung a little in advance of the release of the problem"
While that would have been nice, it is very debatable if it is wise. With Samsung, you just don't know. Security holes have been reported to Samsung that have been fixed nigh instantly, while other well known problems that can cause hard-bricks (device becomes a non-recoverable paperweight) on various devices have been known for almost a year - including the fixes - and the issue is still present
Re: (Score:2)
If they ever update The Fifth Discipline: The Art and Practice of the Learning Organization [wikipedia.org] I'm sure they can cull a hundred pages of business-speak blather to make room for an additional chapter on the pernicious feedback loops of responsible disclosure.
Normally we allow markets to punish corporations for sloppy work. Causing grave identity harm to your customer base is the kind of sloppy work deserving of punishment. And then, you know,
Re: (Score:2)
Without knowing the nature of these "hard-brick" problems it is difficult to say if Samsung did the right thing but not rushing a fix. When you have tens or hundreds of millions of devices in the field you only rush fixes if they are security critical, not if they can result in something that the service department can fix and that only happens in very unusual circumstances. Fixes can make things unintentionally worse if not carefully tested.
Considering there have been no widespread reports of ordinary user
Re: (Score:2)
Who said anything about rushing ? That specific problem has been known for a long time, and most affected devices have received several updates since then. The fix is literally a one-liner in the kernel source, disabling "secure erase". When a user "resets to factory settings" (e.g. wipe all user data) the device performs an erase command. Somewhere in Android 3.x or 4.0 Google changed the default behavior from normal erase to a secure erase. The eMMC chips Samsung used were never properly tested for this,
Re:Root (Score:5, Insightful)
They can test all they want, but there will be bugs. The trick is to have support in place to patch quickly. Most open source software is very good this way, but most commercial stuff is way behind.
Re: (Score:2)
A device driver which allows programs to mmap any and all physical memory, which defaults to world-writable permissions both in the driver itself and in a system startup script, seems like a bit more than just a "bug". It's more consistent with a complete lack of security-mindedness among the developers and reviewers (if any).
Re: (Score:2)
Fixes were outlined in the xda-developers thread to white-list specific DMA regions for the camera to function, instead of all lowmem.
Re: (Score:3, Insightful)
What is the responsibility of the developer is to fix a security hole such as this as quickly as possible once detected.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Root (Score:5, Informative)
The way the summary is worded makes it sound like a user having root is a security exploit ...
The Cleaner is correct. In the case of Android, each application is considered a separate user. That's how applications are sandboxed away from each other. This way, an application only has access to its own files (which reside in its home folder). An application only has access to its own SQlite database instances (which again reside only within its own home folder, since SQLite is file-based, this arrangement works). With its own userid, an application can only access its own process and its own data. Etc.
In other words, Android is an operating system built on top of another operating system and Android doesn't try to completely reinvent the wheel when it comes to security.
Re: (Score:2)
You're right. What I said was a huge oversimplification. What I said really only applies to their home folders.
Re: (Score:2)
That's definitely a problem. The way the summary is worded makes it sound like a user having root is a security exploit ... something most hardware and OS manufacturers seem to believe these days. I may have to break tradition and read the article.
For most users, having root *is* a security exploit. Few users know how to tell whether the application they are installing as root is "safe".
Re: (Score:1)
Mod parent up. It's called the Principle of least privilege [wikipedia.org], which Unix systems implement using mechanisms like sudo. Having root access on Android systems breaks this to some extent.
Re: (Score:2)
The real problem is andriod's permission system is broken. Specifically there are two major problems.
1: there is no way for a user to go through the permissions an app wants and decide what permissions it shoudl actually get.
2: there are some privilages apps simply can't get though the normal permissions system even though them would allow the app to be more useful.
"Rooting" works arround problem 2 and I belive can allow the installation of apps that attempt to solve problem 1
Re: (Score:2, Informative)
The fandroids will spin this into something to make it seem like it was a win for them all along.
Whoa, the fandroids didn't do that! Instead, the fandroids discussed the issues, risks and fixes calmly, intelligently and informatively. Now if only iFans were like that, maybe I wouldn't feel like I got something icky on me after any encounter.
Re: (Score:3)
The fandroids will spin this into something to make it seem like it was a win for them all along.
Whoa, the fandroids didn't do that! Instead, the fandroids discussed the issues, risks and fixes calmly, intelligently and informatively. Now if only iFans were like that, maybe I wouldn't feel like I got something icky on me after any encounter.
Oh, iFans have another weapon besides naked fanaticism: they also have Apple spinmods.
Re: (Score:2)
Fandroids cling to the belief that slashdot is a pro-Apple site, where any moderation of their (actually flamebait and inflammatory) post is somehow down to "spinmods" looking to suppress the message.
Don't be silly, Slashdotters are well aware that Slashdot is anything but a pro-Apple site, mainly because of Apple's corporate hubris and unabashed bad acting. But we also know that Apple is a company that stoops to astroturfing. [usenix.org.uk]
Re: (Score:2)
So how do you know what you're installing WON'T take advantage of this and break through the Android permissions model? (Permissions system doesn't apply if you have root, after all).
Several Android malware apps have attempted to root the user's phone before, so it's possible that some app you download may try the same. And all they'
Re: (Score:2)
You don't. Nor do you know that the web site you browse to or JPG you view doesn't exploit a buffer overflow and break out of its VM sandbox. Same applies for an iPhone and your desktop. Having people able to review the source of the applications is a good start, but there is always some risk.
Re:Root (Score:5, Insightful)
On smartphones, local exploits matter because they mean apps can gain more permissions than they are supposed to have. (This is a much smaller problem on desktops because people don't tend to install programs on desktops anywhere near as much.)
You've never seen a user click blindly through ActiveX install warnings if you think Desktop users rarely install software.
Custom faulty memory device? (Score:2)
Re: (Score:2, Funny)
1.) Become the go to name in customized faulty memory devices
2.) ?????
3.) Profit
Funny as hell - Google ad. (Score:5, Funny)
To actually root ... (Score:3)
Strangely, TFA makes no mention of an app built to actually use this exploit to install SuperSU (root access management app): http://forum.xda-developers.com/showthread.php?t=2050297 [xda-developers.com] - i.e. what most users consider getting rooted.
Of course, this exploit can be used by any app, and a user can use the core exploit manually to install SuperSU (or Superuser) to let Play apps that need root (but don't contain this exploit ;)), but the linked method does all the work for you already.
Link (Score:1)
Another illegal patent expropriation from Apple (Score:3, Funny)
Tim Cook needs to sue them for that one.
Re: (Score:2)
Tim Cook needs to sue them for that one.
Beat me to it like a redheaded stepchild.
security hole? (Score:1)
How is this even remotely a security hole? Much less a "Huge" one? Owners can gain root access to their own device? God forbid!
Re:security hole? (Score:5, Informative)
Err, because any app you download can p0wn your phone?
Re:security hole? (Score:4, Informative)
Because some random app could subvert the permissions it was granted at install and do whatever the hell it wants?
Re: (Score:2)
Re: (Score:1)
Sony get your lawyers. (Score:2)
Sounds like Samsung is ripping off Sony security.
Quick! Get Kaz Hirai on the phone!
impeccable timing (Score:1)
Is that news? (Score:2)
Re: (Score:2)
How to use this to your advantage (Score:2)
Use this APK to get root and install superSU
http://forum.xda-developers.com/showthread.php?t=2050297 [xda-developers.com]
Now, whenever any app asks for root permissions, you will be asked whether you want to give root. This is how it used to work in my older rooted devices.
Removing a Mod (Score:1)
Re: (Score:2)
Delete HRS Hotels? (Score:2)
Naah, they obviously would have dealt with preventing that more thoroughly as marketing depts. with deep pockets were involved.
Issue Update (Score:1)
Sent from my Samsung Galaxy S3
Re: (Score:2)
Re: (Score:2)
I like Droidwall, have been using it since the 1.x days. Yes, it does require root, but it is worth using. Oddly enough, on rooted Motorola phones, it takes a while to push the iptables entries out when you tell it to. On HTC phones, it is a lot quicker.
Another app that I used to use was LBE Privacy Guard, but it doesn't work on Andoid 4.1 or newer (will bootloop your phone if you try.) I know it is a free app, but when it worked, it was a very useful tool, as it limited what apps could access (contacts
Re: (Score:2)
Re: (Score:3, Insightful)
> It's just one more exposure. The real problem is in actually being able to tell what -any- app is currently doing
> on your device. And that kind of monitoring is no-where in sight.
Wrong, and wrong. With this, you can access all the memory on your phone. Clearly with this you CAN tell what's running, You can stop what's running. You can patch what's running. You can do whever you like, This is about as different to the average piece of malware as is possible to get.
Re: (Score:2)
Damn that was vague. Could you maybe explain what kind of bad things they can do without permission?
And what kind of monitoring do you want? A debugger?
Re:Huge Security Hole Has Been there all Along (Score:5, Insightful)
Damn that was vague.
If by 'vague', you mean 'detailed', then yes, it was. 8^)
Could you maybe explain what kind of bad things they can do without permission?
The most damning bit of code is this:
#ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops}, #endif
Basically, it says, "Aw heck, write whatever you like to any memory address anywhere. I mean, we're all friends here. Right?"
Effectively, any installed app can ignore pretty much every single security setting on the phone and do whatever it likes to the running system. Worse, this could be coupled with a vulnerability in an otherwise well-intentioned app to create a remote root exploit.
On the WTF scale, this ranks with the 2008 Debian SSL hole [slashdot.org] in terms of rank stupidity.
Re: (Score:1)
Shouldn't that have been == ?
Re: (Score:1)
Re: (Score:2)
The absolute worst-case would be to use the elevated access to leverage the superbrick bug (another hole out in the wild on the majority of exynos based phones) and permanently damage the emmc chip, which requires a system-board replacement to revive the phone.
Re: (Score:1)
Given the popularity of the S2 and S3 I would say a rapidly spreading virus that turns them into a mobile bot net or spyware system would be far worse.
Although bricking them all at once would be massively damaging to Samsung.
Re: (Score:1)
the code attached to the first post demonstrates how to elevate privileges to root then open a root shell.
If someone had an issue with Samsung they could then brick the device by overwriting the boot loaders
or use the "Super Brick" bug, the permissions set by Samsung devs allow R/W access to kernel memory.
My experience with Samsung devices is that they are easy to root, but Samsung seems to outsource the
software development to North Korea.
Re: (Score:2)
If only someone had found a way to fix this :( [xda-developers.com]
Re: (Score:1)
That isn't a fix, but merely flimsy cork or finger in the hole. Unfortunately, from what I read (Samsung's version of /dev/mem but with global access), this "hole" is more proverbially along the lines of this bad boy:
http://en.wikipedia.org/wiki/Bingham_Canyon_Mine [wikipedia.org]
In other words, its a hardware design flaw so big it can only be worked around, and even then only poorly.
I'm doubly pissed here because I bought the T-Mobile USA version of the Galaxy Note II (SGH-T889) on the day it came out, and a month before
Re: (Score:3)
This is not a hardware design flaw. Whatever makes you think that ? The reason it affects so many Exynos4 devices is because the exploitable code is present in the main code they base most Exynos4 Android firmwares on. It's certainly fixable by Samsung.
Re: (Score:2)
Re: (Score:2)
Except chmod breaks the camera on some devices. Fixes were outlined in the xda-developers thread to white-list specific DMA regions for the camera to function, instead of all lowmem.
Re:Makes me glad I use an iPhone... (Score:4, Insightful)
other than stuff befalling jailbroken devices
This is the important part. Walled gardens are inherently more secure, it has nothing to do with Apple's competence.
Re: (Score:2)
Walled gardens are inherently more secure, it has nothing to do with Apple's competence.
Do you have any actual evidence to support that fanciful assertion? Didn't think so.
Re: (Score:2)
Walled gardens are inherently more secure
Which walled gardens? More secure how? More secure than what?
If the walled garden does a better job of verifying the security than the collection of apps you are comparing it to, then you are right. But that is not an inherent characteristic of the walled garden model any more than it is of any other kind of collection of apps. The question is how strongly the selection process under consideration filters for security.
For example, F-Droid [f-droid.org] is a repository of Free and
False, Apple's security deeper (Score:1, Troll)
Apple's is chiefly based around how good their gatekeeper is.
No, in fact Apple's security does not rely on that at all. The system is designed to prevent any application, not just Apple vetted ones, from harming the system - otherwise Apple would not allow independent Enterprise deployment as they do since Apple does not review those applications.
Apple's system is deeper than Androids because instead of having one up-front out of context question about the permissions the app should support, instead iOS u
Re: (Score:2)
iOS devices ALSO do not allow installation of apps to external media which was already a monstrous security hole for Android devices; any SD card inserted that was formatted FAT32 could have any portion read and written to by any app.
Yeah, as opposed to Apple's solution of not putting ANY SD card reader in the first place. Much more secure. Right on.
Re: (Score:2)
Although Apple's reason for this isn't security but instead to up-sell to a more expensive model, a lack of an SD slot does indeed increase security by physically eliminating one vector for malware to take advantage of.
We see the same principle when some companies disable or seal up USB ports on their employee desktops computers, and of course there's the so-called air gap between the internet and secure internal-only servers.
Each of these decreases usability and convenience, and can be defeated by anyone m
Yes, really. (Score:2)
Charlie Miller would like to disagree with you with his Command and Control trojan stock ticker app.
Meanwhile a thousand equivalent apps sit on the Android app store untouched. MORE secure does not mean 100% secure.
After all, even with his stock ticker app what could actually be done via remote commands is still limited to what the sandbox can do. That is defense in depth.
The fact remains iOS is MORE secure than Android.
Deeper than Androids? Is that why there is a jailbreak vulnerability for each and ever
Re: (Score:2)
Re: (Score:1)
Form of: denial and accusation of user error.
You're an Apple employee, and you're projecting.
Re: (Score:2)
Form of: denial and accusation of user error.
You're an Apple employee, and you're projecting.
and your Apple spinmod friends don't impress me either. Actually, the more you do things like that, the more you Apple people disgust me.