It's been a month since the full disclosure of the Stagefright Android vulnerability, and the drama around the announcement is starting to make way for the hard work of actually dealing with its fallout. The immediate implications of the vulnerability itself are enormous in their own right, but it might be the broader ramifications of Stagefright patching logistics that really stick around for a while.
The difficulties that Google and handset manufacturers face in pushing out updates to the more than 900 million phones impacted by the flaw are a microcosm of a larger problem. The real issue here is that the very interconnectedness that lends mobile and Internet of Things (IoT) ecosystems their power also leads to a vulnerability management prisoner's dilemma.
Stagefright shows how difficult it is to get all parties on board for rolling out patches amid a complicated tangle of vendor and carrier interests. Connected devices depend on a fractured hodgepodge of operating systems, firmware, hardware and add-on apps, with connectivity delivered by a fragmented telecom market. This means that when a vulnerability like this one presents itself, it requires a cascading chain of cooperation to get even a single patch loaded onto user devices. And at each level — platform vendor, handset manufacturer, etc. — interested parties don't put a lot of effort into security updates because there's not enough economic incentive to do so.
In "What You Need to Know About Stagefright," a recent SANS webcast, Joshua Wright explains that this model for security updates is Android's Achilles' heel.
"I love the Android as a platform, but this patching model has got to go," says Wright, a senior instructor for SANS and senior security analyst for Counter Hack. "Fundamentally, the carriers, the handset vendors and Google are not coordinating sufficiently to be able to get these mandatory security fixes into the hands [of] end users. And ultimately you pay the price for that."
A Deeper Issue
As Wright explains, Stagefright is so thorny because it isn't a software-related problem. It is a system-level vulnerability that affects devices all the way back to Android 2.2. It was initially reported as an MMS-related vulnerability because the proof of concept offered up by Joshua Drake and the Zimperium team at Black Hat showed how a maliciously crafted MMS message could take advantage of video autoplay features in MMS to execute code without any user intervention. But as Wright points out, Stagefright's impact runs deep into the Android code base.
"Dispel the notion that this is an MMS-related vulnerability. It's not," he says. "It's a core library vulnerability that can be exploited any time you open an MP4 file that's malicious regardless of how that MP4 file got to you."
So, even though early mitigation recommendations to turn off auto-retrieval of video files in MMS may be valid, they're not even close to foolproof.
"It doesn't help if the exploit vector comes through a web browser, and I'm a little skeptical if this is really going to stop end users from clicking on an MMS, particularly if there are kittens on the cover thumbnail of that incoming movie," Wright says. "The kitten thing puts people over the edge."
Solutions in the Works ... For Some
A more permanent and lasting mitigation is in the works, as Google and a number of handset manufacturers have either developed a patch or plan to do so. In fact, Wright believes this vulnerability is "the best thing that has ever happened to Android users," pointing to improvements in the way that Google and several handset manufacturers have committed to regular security updates in the wake of this vulnerability.
"The big issue is if and when will more people get these patches — and who's going to get a patch and who isn't," Wright says. "Many millions of Android users will be vulnerable for many years to come."
This is because even though patches are forthcoming, the distribution of these updates is usually limited to just a small slice of the most recent Android device releases. For example, Wright points out that devices built with the Android Jelly Bean release will have absolutely zero access to a Stagefright patch.
"No patches. No support. Nada. Go buy a new phone. That's your only recourse here," he says, explaining that this build alone accounts for 286 million Android devices. That kind of legacy desertion comes down to economics, he says.
"Right now those device manufacturers and carriers are thinking maybe we don't have to patch and they'll buy new phones," he says. "Personally, I find that unacceptable, and I think everybody with these devices should be contacting their carriers saying we expect this level of support for being a customer."
Some of this pressure may well already be seeping into the Android ecosystem as a result of the Stagefright fallout, but there's still a lot of work ahead.
Photo Source: Flickr