Google Hackers Expose 11 Major Security Flaws In Samsung Galaxy S6 Edge

MojoKid writes: Going on a bug hunt might not sound like the most exciting thing in the world, but for Project Zero, the name for a team of security analysts tasked by Google with finding zero-day exploits, a good old fashioned bug hunt is both exhilarating and productive. As a result of Project Zero's efforts to root out security flaws in Samsung's Galaxy S6 Edge device (and by association, likely the entire Galaxy S6 line), owners are now more secure. The team gave themselves a week to root out vulnerabilities. To keep everyone sharp, the researchers made a contest out of it, pitting the North American and European participants against each other. Their efforts resulted in the discovery of 11 vulnerabilities, the "most interesting" of which was CVE-2015-7888. It's a directory traversal bug that allows a file to be written as a system. Project Zero said it was trivially exploitable, though it's also one of several that Samsung has since fixed.

The winner?

[paavo512]

to keep everyone sharp, the researchers made a contest out of it pitting the North American and European participants against each other.

So, who won?

Re:The winner?

[Alwin Henseler]

Those end-users that are 'lucky' enough to actually receive updates once in a while.

That is THE problem with Android right now imho: leaving updates to the OS to 3rd parties that are just interested in selling a phone or call/SMS/data package, is a totally broken model. Those 3rd parties should be required to provide working drivers for the hardware in their phone, in source form, and whoever maintains the OS (Google I suppose, or maybe some industry co-operation) should take it from there. Including the distribution of updates.

Those 3rd parties have too big a tendency to sell the phone & walk away. That is easy to foresee, and has been proven time and time again. So you simply CAN NOT rely on phone makers or providers to supply updates. Period. Trying to fix the problem when it's too late, doesn't help much: even if Google changes Android update model to how it should be, that still leaves hundreds of millions of phones out there which will never ever see an update again, but still be used for a long time to come.

Re:

[nevermore94]

Exactly. Being able to root my phone is very important to me, but full on ROMing is not. Currently the only reliable way to be able to root a phone without using some obscure exploit is to be able to unlock the bootloader and go from there. I wish Android would just support an official and highly secured way of getting root access (2 key authentication or something even better) to allow us to run a few root apps such as Titanium Backup and a proxy app that lets me connect to my company's network without

Re:

[iampiti]

Root is supposed to be impossible to get in Android phones. What you're complaining about is fixing of security bugs (yes, I know you know but this is worth being underlined).
How it should be is that you could get to be root in Android as a system feature not because of security bugs, but we know Google wouldn't like that. I still think a user should be able to do 99% of things that require root like running a firewall or mounting the system partition read/write so that you can delete apps which you'll nev

Re:

[CastrTroy]

This is the main reason I'm not on Android anymore. The last Android phone I bought was released 6 months before Android 4 came out. But it never received a single update. It was stuck on Android 2.3, and I used it for years like that.

I switched to Windows phone this time around, because it seems like it's much more likely to get updates going forward. The only other option is iPhone, but I don't like the idea of spending $700 on a phone that only comes with 16 GB of storage and can't be upgraded using SD

Re:

[KGIII]

Thoughts on the Windows phone? I'm seriously considering switching and the Ubuntu phone doesn't appear like it's an option/carrier supported. Four months into my new phone and nary one update except for the one that came down the pipes when I first got it. I hear good things about the Windows 10 phone but I hear those from people whom I'd not classify as technical in nature. Getting input from someone with a grasp of tech and the variable benefits and negatives would be nice - if you have time and are so in

Re:

[CastrTroy]

The only problem that I have is that certain apps don't exist. Battery life is great. OS is quick and stable. Everything feels nicely integrated. It's not like there's anything I find that I can't do, because there's other apps that accomplish the same functionality. But if you're the kind of person who can't live without specific sevices, like SnapChat, then you aren't going to like it.

Re:

[KGIII]

Thanks! That's exactly the kind of person that I am not. I don't really use any apps other than a browser, file manager, etc... I don't do social media (don't have any accounts) and I'd like to be able to use it as a phone and a web browser. I might like to check my home security (I can do that through a browser) and use VNC to connect to a home computer - which can also be done through a browser, if I put some effort into it. I can also just get the TightVNC client source and see if it compiles. I don't th

Re:

[unity]

" I might like to check my home security (I can do that through a browser) and use VNC to connect to a home computer - which can also be done through a browser, if I put some effort into it. I can also just get the TightVNC client source and see if it compiles."

There are existing VNC clients for windows phone.
I don't think the "app gap" is really much of a problem, there hasn't really been a situation where I couldn't do what I wanted with the phone. But even if it is a real problem, I think it will

Re:

[KGIII]

Thanks! I'm certainly going to buy one at this point. I'm not too picky. I'm just tired of the Android crap - the insecurity is just vile and I don't really want to have to play with keeping yet another device in sync unless it's trivially easy and the cell co doesn't seem to want to do that. With Windows, I should be able to just update the damned thing. I really want an Ubuntu phone but that doesn't appear to be happening any time soon.

Heh... I'm buying a Windows device - on purpose, willingly, and kind o

Re:

[IamTheRealMike]

Well, did you read the article?

Samsung have patched nearly all the bugs in the October online update and the rest will be done in this months update. So your anger is misplaced: Samsung have joined the monthly update cycle Google is pushing. I see no reason to believe the Nexus team would be doing things any faster.

Re:

[lexman098]

Those 3rd parties should be required to provide working drivers for the hardware in their phone, in source form, and whoever maintains the OS (Google I suppose, or maybe some industry co-operation) should take it from there.

Are you advocating that Google make their OS inherently compatible with all manufacturers that give them the source to their drivers or that the manufacturer should make the source to their drivers public? Neither of those are ever going to happen.

The situation is a quagmire of Google not having control of the hardware while most manufacturers don't care to update the software. Apple of course gets around this by controlling both, but that's not exactly desirable either from my standpoint. The same probl

And in other news...

[arglebargle_xiv]

... other Android phone vendors have also responded to these vulnerabilities by informing their customers to keep buying new phones every few months and checking whether they contain updated firmware that may fix some of the problems.

(Dedicated Android user here, but damn, sometimes I envy the iOS blue pill).

As if Samsung will give a shit.

[cyber-vandal]

They're hopeless at providing updates.

Re:

[Anonymous Coward]

Samsung have no control over telco update deployment. And if you bothered to read, you'd have seen many were fixed long before these "hackers" found them, which means the "hackers" merely looked at the fixes to create an exploit.

Re: As if Samsung will give a shit.

[cyber-vandal]

I was a Samsung customer. I have first hand experience of their uselessness. The telco here in the UK wasn't the issue. Samsung just had no interest in providing any updates.

Re: As if Samsung will give a shit.

[cyber-vandal]

Because my phone was carrier free.

Re: As if Samsung will give a shit.

[cyber-vandal]

It was a Note 2 and I didn't say it didn't get any updates I said it didn't get enough updates. One 4.4.2 update in 2 years and possibly one other while numerous security vulnerabilities went unpatched before and after that update is shocking. Stop getting hysterical just because I'm telling you my actual experience. I own a Nexus 6 now which gets updated regularly because Google aren't as incompetent as Samsung.

Re: As if Samsung will give a shit.

[cyber-vandal]

Not in the UK it isn't.

Re: As if Samsung will give a shit.

[cyber-vandal]

Or Samsung could've decided that themselves. I don't know why you're so desperate to defend them. Their uselessness at providing updates isn't something I just made up.

This.

[tlambert]

Samsung have no control over telco update deployment. And if you bothered to read, you'd have seen many were fixed long before these "hackers" found them, which means the "hackers" merely looked at the fixes to create an exploit.

This.

The bug hunting, and the 90 day public disclosure window for the bugs ... this is "version shaming", in order to try to get the partners to update their firmware, and to get the telcos to deploy the updates.

It generally costs a partner the same to do a new version of Android as it did to do the original version of Android. This is because most of the code changes needed to port the software to a device in the first place, and most of the partner productization changes, are not upstreamed back into the Android main line tree. They weren't put there in the first place, since Google and the partners have non-disclosure agreements in place so that Samsung doesn't get to know what another Android phone maker is about to release, and they don't know what Samsung is about to release.

This makes the process very messy, and it makes updating the version actually running on the phone very very messy, and if a kernel change is necessary because the user space uses new or altered user/kernel interfaces, it makes things even more difficult, since it means kernel changes which have to be upstreamed as well, and that usually means making them available to, but not "cleaning up to the point of acceptability to upstream Linux" for those.

The telco business model has been to get you locked into a 2 year contract at initial signup, and then cause you to re-up the contract every 18 months by offering a new phone with the new OS to get the new features, and to be compatible with the new "store" offerings in apps, in order to *keep* you perpetually locked into the two year window.

The partner model has been to create low margin OEM phones, with the understanding that they will make up for the low margin on volume, by having a rolling inventory of the new model going into those 18 month renewal window pipeline themselves.

In both cases, these are not "buy once, use forever" devices. Neither are iPhones (try to find a 2G service area on either coast for AT&T to use the first generation iPhone; AT&T is actively ripping out 2G capacity, since that's the only way to force someone off a grandfathered unlimited data contract).

Practically speaking, it's in no one's interest, but Google, since they've been eating the bad press on the update situation whenever there's a bug found, and a security flaw is generally the most convenient can opener. Effectively they are using this as judo, to try and version shame both the partners and the telcos: the partners into the development effort for an update, and the telco for the deployment of those updates.

In other words, they are trying to mimic the Apple model, without the hardware or iOS source base homogeneity that allows it to work.

It will be quite interesting to see how long this goes on before something cracks. My personal prediction on what will crack is that the telcos will start offering updated phones earlier, with a prorated valuation on the old phones, and roll the costs into the hardware costs in the first place, and thus into the monthly billing cost.

Re:

[Anonymous Coward]

Meanwhile, the unbranded telco-free Australian firmware for the Galaxy S4 is behind the rest of the world - as far as I'm aware, every country except Australia and Colombia are on Lollipop (carriers included), but we're stuck on KitKat. The carriers certainly aren't the cause of that.

Re:

[KGIII]

Well, duh, you just have to take your phone to Europe. ;-) It might be cheaper than an iPhone.

Actually, my daughter's an iHead. She's got an iPhone. I've not played with the latest one, that she has, but the last one was kind of spiffy. She's also insane. The minute a new model drops, she buys it. She then sells her old one. I'm not certain but I do believe she goes for the one with the most memory and, as said, they seem to be, legitimately, good.

Re: This.

[cyber-vandal]

Yeah it's all the carriers' fault. Samsung are perfect in every way. Except they aren't. I'm never buying a Samsung again because they're poor quality, filled with bloatware and security bugs go unfixed. I had a carrier-free Note 2 and yet the 4.4 update took an eternity to come out. Meanwhile they didn't bother to fix any of the security bugs in their 4.2 firmware or any of the others in the 4.4 after it was finally released. No danger of getting Lollipop for it either. I've now got a Nexus 6 that is updat

Re:

[tlambert]

Yeah it's all the carriers' fault. Samsung are perfect in every way. Except they aren't. I'm never buying a Samsung again because they're poor quality, filled with bloatware and security bugs go unfixed.

I'm confused.

Did you simply fail to understand the part where I stated that the partner model was to ship many units at low margin, rather than a smaller number of units at higher margin? The Android partners, including Samsung, are also to blame.

Even if this is largely driven by their customers being the telcos, rather than the end users, it's Samsung's choice as to which market they want to participate in (the end users do not directly pay for the phones, except in an amortized way, and they will pay tha

Re:As if Samsung will give a shit.

[drinkypoo]

Samsung have no control over telco update deployment.

Telco update deployment is a red herring. I can just wander over the Nexus download page and grab a new system image for any Nexus device, and I don't need my carrier's permission. What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

Re:

[PincushionMan]

What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

In a word: TouchWiz.
TouchWiz is the ROM atop the Android ROM on Samsung phones. It provides a customized UI, custom lock screens, customized dialer, contacts, alarms, settings, etc... That's why they require Dual core or better and loads of RAM. It must take a cubic butt-ton of effort to get that crud to run over the top of Android.

Personal experience: I had a dual core S3 (US variant), and IMHO, it was awful. It stuttered when unlocking, frequently dropped calls, apps wouldn't install or run. Phon

Re:

[myowntrueself]

<quote>
<quote><p>What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?</p></quote>

<p>In a word: <b>TouchWiz</b>.
TouchWiz is the ROM atop the Android ROM on Samsung phones. It provides a customized UI, custom lock screens, customized dialer, contact

Re:

[IamTheRealMike]

Traditionally phones have been subsidised by the carrier. What this means is that from the users perspective, they got the phone from the carrier. The carrier has the tech support infrastructure and the customer relationship, even if it says Samsung or Sony or whatever on the box. That means if something goes wrong .... the customer calls the telco. Not Samsung.

As a results of this, the OEM's customer is actually the carriers, not the end users. And carriers learned the hard way in the 1990's and for much o

Re:

[iampiti]

What prevents Samsung from doing the same?

Nothing except their own desire to sell you their newer phones. The telcos have very little to do with it since they still stop releasing updates for the unbranded version of their phones after a year or two after release.
I guess they just don't see it as a money-generating move.

Re:

[Karlt1]

Telco update deployment is a red herring. I can just wander over the Nexus download page and grab a new system image for any Nexus device, and I don't need my carrier's permission. What prevents Samsung from doing the same? Perhaps they made deals with carriers not to provide you the updates directly? In which case, how is that anyone's fault but their own, and why would you want to make excuses for that customer-fucking behavior?

Wow, grab a new system image that erases your phone and all of its contents an

Re:

[Goaway]

Samsung have no control over telco update deployment.

Bullshit. They can make sure the telcos are contractually obligated to publish timely updates.

They don't, because they don't give a shit.

Re:

[acoustix]

Bullshit. They can make sure the telcos are contractually obligated to publish timely updates.

They don't, because they don't give a shit.

I wish that were true, but what leverage do the handset makers have against the telcos? Apple was the only one so far to beat the telcos and get direct access to update their devices. But what can Samsung, HTC, LG, and others do about it? Their market share is smaller and they cannot throw their weight around to force the telcos.

I hate the idea of additional government regulations, but maybe the FCC needs to mandate that the carriers don't have any control over the software updates. My landline provider

Re:

[drinkypoo]

Apple was the only one so far to beat the telcos and get direct access to update their devices.

That's not true. You can get factory system images for Nexus devices [google.com] directly from Google. In my experience the OTAs for carrier-agnostic devices may precede their presence there, but only briefly. Granted, there are other problems with Nexus devices, and I went Moto with my last phone instead...

Re:

[fustakrakich]

They don't, because they don't give a shit.

They don't have to. The customers don't give a shit either. They just keep on buying anyway.

RTFA

[WSOGMM]

What I wanna know is, which team won the competition?

"as a system"?

[wonkey_monkey]

allows a file to be written as a system

Whut?

Re:

[SpectreBlofeld]

I *assume* that means that it allowed files to be written to the normally read-only system partition.

Re:

[wonkey_monkey]

You'd think so, but no. It...

...allows an attacker to write a controlled file to an arbitrary path as the system user.

Android

[sociocapitalist]

Other than buying Nexus devices, the best way to 'secure' an Android phone appears to be to keep nothing of value on it.

I'm considering returning a Marshall phone I just bought because (a) it's still vulnerable to Stagefreight even though it's a phone that was brought to market within the last thirty days and (b) I have zero confidence that updates will ever make this a reasonably secure phone.

A shame really as I like the phone and the sound quality is better than any other phone.

Samsung to hackers: Thanks. You're all under arre

[mnemotronic]

Under the TPP, Google's contest would be criminal activity. [networkworld.com]