Iconoclast
Newbie
I just read this article:
Researcher says flaw in Android creates phone risk
Anyone know how we patch this?
Researcher says flaw in Android creates phone risk
Anyone know how we patch this?
-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Help Vulnerability in Android can be exploited to kill the SIM card
- Thread starter Iconoclast
- Start date
-
- Tags
- motorola droid razr
It's probably not apple behind it (possibly with the timing though). Here is what happens. There are alot of security groups out there. They get free publicity by finding these security "problems". Then the media publicizes them, because it allows them to use all sorts if alarmist talk. Even though the security holes are almost invariably minor and difficult to practically exploit.
Case in point, this is stupid, and as is whoever wrote the article. Android doesn't use the SIM for any meaningful storage.
The only real consequence to destroying the sim is you can't connect to the network until you pick up a new one. I honestly don't have the slightest clue why anybody would want to use this exploit.
Case in point, this is stupid, and as is whoever wrote the article. Android doesn't use the SIM for any meaningful storage.
The only real consequence to destroying the sim is you can't connect to the network until you pick up a new one. I honestly don't have the slightest clue why anybody would want to use this exploit.
mahers
Android Expert
^^^ Exactly. The media tells us pictures, contacts, and music can be erased, but all of that is on the phone's internal storage or your SD card, NOT the SIM card. Morons. You'd think they would look into it just a teensy bit to validate.
If it makes you feel better, Lookout just released an update that catches these links if you're dumb enough to click on suspicious links. You control what you click, so just don't click!
If it makes you feel better, Lookout just released an update that catches these links if you're dumb enough to click on suspicious links. You control what you click, so just don't click!
Adauth
Android Expert
What he said.
Iconoclast
Newbie
Whether a patch exists & needs to be manually installed is still unclear to me. Avoiding clicking on
It's not in any way dangerous. The worst possible outcome for the user is the phone wouldn't connect to the network until the Sim was replaced. Moreover, nobody would want to do that. There is no possible gain for the attacker, and doesn't really lead to any serious harm to anybody.
Isn't that only Samsung phones? Besides, it's not something hackers would Getty any gain from and it's a very ineffective delivery system. This is just not a vulnerability anybody would want to exploit.
Thunder22
Member
Hackers and virus creators don't "gain" from every hack, exploit and virus they create. Seriously? no one?
Hackers and virus creators don't "gain" from every hack, exploit and virus they create. Seriously? no one?
Yes. Seriously. Nobody would want to exploit this hack.
There are especially two types of nefarious hacker. Those that use hacking as a means to an end (usually financial gain, but they could have a personal, religious or political ax to grind) and those who hack for the sake of hacking (for the challenge, or to wreck random havoc). Their really isn't anything for the first type to achieve with this.
As for the second type, what is the point of using a widely published exploit, that would erase data that is almost entirely backed up from the small handful of phones that would actually click on any widely disseminated website?
So again, nobody would want to use this exploit.
Thunder22
Member
LOL! ok, my bad, I didn't know you spoke for ALL hackers and virus creators. I'll know better for next time lol.
You're more likely to have some random person grab your phone and smash it on the sidewalk then run into this exploit. They're really the same basic crime, only one requires specialized knowledge, far me preparation, leaves much more evidence, Carries much higher penalties, and doesn't cause any actual damage.
Besides, using this same delivery method (code embedded in a Web page) you could implement countless other schemes that will generate money and/or create more mayhem, targeting far more people on far more devices (if you want, in far more interesting/creative ways).
Besides, using this same delivery method (code embedded in a Web page) you could implement countless other schemes that will generate money and/or create more mayhem, targeting far more people on far more devices (if you want, in far more interesting/creative ways).
Iconoclast
Newbie
I
If you are really interested if protecting your devices, then you should be interested in the objectives of possible attackers. If you don't understand the threat, you can't protect yourself from. This exploit requires scion on your part to implement (clicking on a unknown link). You are far more likely to face myriad phishing schemes and malware than this particular attack. That is the real risk. This is not a real risk.
If you're walking in a bad neighborhood do you say "i should watch that a gang member doesn't erase the music on my iPod." No, you say "i should be careful that nobody tries to rob me." Because while the iPod thing is possible, they don't have any reason to do that. They do have good reasons to try and steal your stuff.
EDIT: apparently a couple apps face been developed to address this exploit. http://m.lifehacker.com/5946919/check-if-your-android-device-is-vulnerable-to-the-remote-wipe-hack
If you're walking in a bad neighborhood do you say "i should watch that a gang member doesn't erase the music on my iPod." No, you say "i should be careful that nobody tries to rob me." Because while the iPod thing is possible, they don't have any reason to do that. They do have good reasons to try and steal your stuff.
EDIT: apparently a couple apps face been developed to address this exploit. http://m.lifehacker.com/5946919/check-if-your-android-device-is-vulnerable-to-the-remote-wipe-hack
Correction, this is entirely a theoretical risk in the first place, so we didn't go all theoretical, we started out there. And the link i put up in my most recent post discusses two apps that address this "issue".
I disagree. If an exploit has been tested and was successful (which I believe the researcher did test on multiple devices), then it's no longer theoretical. Risk is just "potential" for loss or undesirable outcome. If one can show the possibility of destroying sim cards or factory resetting phones through USSD codes, then there is actual risk. It doesn't have be live in wild, for risk (vulnerability) to exist.
Fair enough. I missed your link. I was more poking fun at the fact that this thread went on for 12 posts when all the OP asked was if anyone knows how to patch this. Seems to me like a simple yes or no question.
Yes. I know how.
See the op here to and click the link it has to test your vulnerability.
http://androidforums.com/lounge/624915-your-phone-safe-malicious-tel-url.html
If you are vulnerable, scroll down to my post to see the link that explains what really happened and how to protect yourself.
You cats might want to check out our Lounge and Android Lounge for this stuff from time to time. Power in numbers.
So it seems like the simple fix is to install another dialer and then never mark it as the default dialer. Every time a tel: url is hit it will ask which dialer to use (of course this has the negative that tel: url will require manual completion; but I would think in general this would be a good thing....