Do More Than ‘Break a Leg’ to Overcome This Stagefright – The Stagefright Hack
Are you one of the roughly 76 million Android users in the United States? If so, this article is for you.
Recently, security researcher, Joshua Drake, discovered new hacking software that “allows attackers to send a special multimedia message to an Android [device] and access sensitive content even if the message is unopened.” The hacking software is known as the Stagefright Hack.
A short video is sent to a device and automatically begins downloading the information – prior to the user actually opening the message. Once the video begins downloading, voilá – the hackers are inside your phone or tablet.
The software gives hackers access to photos, videos, the camera and microphone. It can infiltrate both phones and tablets. The discovery pushed Google Inc. and Samsung Electronics Co to release monthly security fixes for Android phones.
Previously, phone manufacturers would wait until a software update to push out a fix. This resulted in exposing more than 1 billion Android users to potential hacks and scams until the fix was release.
In a Reuters article, Android security chief, Adrian Ludwig, said that “improvements to recent versions of Android would limit an attack’s effectiveness in more than nine out of 10 phones.” Drake, however, stated that an attacker could keep trying until the security walls were cracked. According to the article, “Drake said he would release code for the attack by August 24, putting a pressure on the manufacturers to get their patches out before then.”
According to Ludwig, “many Android security scares were overblown…only about one in 200 Android phones Google can peer into have any potentially harmful applications installed at any point.” Countering that, Drake noted that the statistic excludes some products – including Fire products from Amazon – which use Android. Further backing up Drake, a 2013 Cisco study found that 99 percent of all mobile malware targeted Android devices. Android users have the highest malware encounter rate (71 percent) with all forms of web-delivered malware.
Fortunately for me, I’m an Apple user, therefore not subject to this specific software risk. Others are not so lucky. I decided to conduct some informal, personal research and asked close friends and family (who have Androids) if they were aware of the Stagefright Hack. Every person I asked had the same response: “What?”
Should providers be responsible to notify customers of risks, or would that create an ‘unnecessary’ crisis? Given the number of breaches and hacks that occur daily, how do you define and manage stakeholders/customer notification?
To gain more understanding on the subject, I reached out to Firestorm Business Crisis-Risk™ leader, Jack Healey, for his take on the subject. According to Jack, awareness is preparedness.
“We can’t lose sight of the fact that all hacking and cyber-crime is fraud. The best way to fight fraud and crime in general is through awareness. This is the same thing as if a robber were testing doors in your neighborhood to see which ones were unlocked. Would you tell your neighbors so they could lock their doors? Of course you would! It is the same thing here. For Android users, you lock the door by turning off the ‘auto retrieve’ in the MMS multimedia settings. That will lock the door until a fix is found. It is incumbent upon all of us, manufacturers and service suppliers, fraud professionals and friends, to educate and spread the word when we hear of something like this happening. Of course it’s unsettling, but knowledge is power and with my apologies to Thomas Gray, in the case of Stagefright ‘ignorance is NOT bliss.’
The only way to prepare for a disaster is by planning. In order to plan, you must understand the threats and vulnerabilities your company faces. The worst threat you face is denial.
Tomorrow is never certain, but risks and threats are 100 percent certain. It is not about IF a crisis will hit your company, but WHEN.
Disabling Auto Retrieve MMS will partially mitigate this vulnerability ahead of the official patch release. All MMS media files will require a click in order to be viewed, but disabling this feature will prevent an attack from automatically executing on your phone. Turning off this feature does not fix the exploit entirely. So long as the bug exists, your Android device remains vulnerable and can be hacked if a malformed media file is downloaded by clicking on it. This vulnerability will not be completely fixed until a patch is released for your device, but this intermediate step can help mitigate the threat in the meantime.
To learn more about the exploit, check out:
- The ‘Stagefright’ exploit: What you need to know (Android Central)
- Stagefright: It Only Takes One Text To Hack 950 Million Android Phones (Forbes)
- ‘Stagefright’ Android bug is the ‘worst ever discovered’ (Wired)