Few days ago, I came across an interesting report on how at Black Hat Conference, two security researchers from ISec partners were remotely able to unlock a Subaru outback SUV with the use of an Android based Phone. In normal case, this could be seen as an interesting exploit, however this also showcased the power of what an android based app could be made to do. For a second, imagine if you were the owner of this vehicle and you had another malicious app on your phone trying to gain access to your car opening mechanism in stealth and passing this information to a professional car jackers.
As android takes flight from mobile phones and tablets to general purpose devices, security threats are also expected to match this rate of growth. Let me take few examples of some of the most interesting attacks that have been launched in recent times to describe the narrative.
Droid Dream aka Android.Rootcager – This app was a leader in its class in terms of its approach, not only it added devices to the zombie list of botnets, put other unwanted softwares on the system , but also stole data from other apps and breached the Android security sandbox. This malware app in its prime infected as many as 60 legitimate applications in the market place and was responsible for thousands of user infection in Q1 of 2011.
Now, extend this situation to a general purpose non-mobile/non-tablet device running on android. A good example might be handheld devices (using android as their base system) being used for census purposes in many parts of India. Such a device if infected with the malware like Droid Dream could result into large scale invasion of privacy and theft of trove of personally identifiable data.
Class loading hijacking – This is a serious mode of vulnerability that has recently been discovered by security researchers. Android provides APIs that allows an application to dynamically load code and execute them. To make use of this capability, many of the applications download plugins that may be loaded and executed later. Now if such plugins are stored in an unsafe location, they might be tampered or replaced with a new piece of code.
As android is able to copy such plug-ins from a removable media such as SD cards, it opens up a security hole that could be easily exploited if application developers are not careful with their programming.This can be an all permeating threat. For non-mobile android devices, this could result into changing configuration of the underlying software, potentially dangerous in case of specific purpose devices such as set-top boxes.
Authentication protocol security hole – Google provides for a clientlogin protocol from android based devices that is specifically used by its services to authenticate themselves over internet. Once a device is authenticated it receives a token for 14 days for the duration it does not need to re-authenticate itself again. The vulnerability was on the ground that this token was being sent in clear text over the airwaves. In case of an unencrypted wifi network, this token could be easily stolen and could be potentially used to login from another device. This bug was present in all android version below 2.3.3 when it was discovered.
Although google claimed to have fixed the situation and released a patch, the challenge was to receive this patch and apply on all the devices. For some of the devices, this would have been possible, however many of devices got stuck as their device manufacturers did not commit to do a new patch release for older devices. On non-mobile world, this situation could really turn ugly as most of such devices are designed for no-update scenario. Familiarity of an OS over mobile devices makes it easier to exploit for non traditional devices.