Red Hat and security company Perception Point recently revealed a Linux flaw they say could affect servers, PCs and up to 66 percent of Android phones on the market. The vulnerability directly affects the OS’s kernel, and could give attackers a way to gain code execution and take over a device, according to Perception Point. Google, however, fired back strongly at the claim, particularly because it wasn’t given the usual window to address the flaw before it was publicly released. “Since this issue was released without prior notice to the Android Security Team, we are now investigating the claims … [however,] we believe that the number of Android devices affected is significantly smaller than initially reported.”
Andrew Orlowski, The Register, 2/1/16
Android Pay now refuses to play ball on a rooted handset
Google’s crackdown on rooted Android devices continues. Citing security reasons, Google doesn’t want rooted ‘Droid phones to use mobile payments via the Android Pay infrastructure.
This is a standard not required by Pay’s predecessor, the now-deprecated Google Wallet.
In turn, this has led to a cat-and-mouse game with Android’s substantial global enthusiast community. Now a door that modders opened slightly a few months ago has been slammed shut.
A developer last year found a way of rooting Android without disturbing the
/system partition (aka “systemless root”).
A Google engineer acknowledged last year that if it had to scan and verify every file on the partition, the phone would be “bogged down for tens of minutes”.
Respite was temporary. Systemless rooting will now fail to fulfil an Android Pay transaction. Pay now introduces an additional check, performed by Android’s SafetyNet framework.
This post at XDA Developers explains that several further tweaks are required to work around the latest security check.
One Android enthusiast’s suggested workaround sounds eminently sensible to us.®
In: Android, Mobile Technology
Stephen Lawson, ComputerWorld, 2/1/16
Forget about it hurting Wi-Fi and think about using it in business
Controversial technology that lets LTE networks use unlicensed spectrum could become a trusted part of the enterprise IT toolkit in a few years.
So-called unlicensed LTE has come under fire ever since the news about it first broke more than a year ago. The charge: If mobile operators adapt their LTE networks to use frequencies that Wi-Fi depends on, Wi-Fi users will get squeezed out.
The two sides are now working together on standard tests to tell if a given unlicensed LTE radio unfairly interferes with Wi-Fi. Meanwhile, Qualcomm, the biggest cheerleader for the new technology, just got permission to try it out at Verizon Wireless facilities in Oklahoma City and Raleigh, North Carolina, the Federal Communications Commission said Friday. The industry group Wi-Fi Forward promptly declared the FCC should closely monitor the experiments.
But the real future of unlicensed LTE lies in a frequency band that Wi-Fi doesn’t even use, according to Dan Rabinovitsj, chief operating officer of Wi-Fi vendor Ruckus Wireless.
The U.S. and other countries are moving to open up frequencies around 3.5GHz for unlicensed or “lightly licensed” use. Current carriers, new kinds of service providers and even enterprises will roll out LTE using that spectrum, Rabinovitsj said in an interview Friday. There, interference with Wi-Fi won’t even be an issue. (For the record, he thinks the problem is getting fixed, anyway.)
The form of unlicensed LTE that’s been under fire is designed only to augment mobile operators’ regular, licensed LTE networks. New versions will be able to operate purely in unlicensed spectrum so businesses and startup carriers can use it, too.
“It’s the Wi-Fi-ification of LTE,” Rabinovitsj said.
Aside from its alleged incompatibility with Wi-Fi, LTE is a refined and readily available radio technology that uses spectrum more efficiently than Wi-Fi.
It has specific advantages for enterprises, Rabinovitsj said. One is that LTE is better suited than Wi-Fi to carrying voice calls. That’s part of what the technology was developed for in the first place, as carriers looked toward a future without the circuit-switched 3G networks that have handled voice calling as LTE has been rolled out and used for data. Voice over LTE, designed for higher sound quality than 3G, is now being gradually deployed on carriers’ networks.
LTE could also help companies get all their guests onto the local network instead of making them rely on mobile operator networks that may be too weak indoors, Rabinovitsj said. Today, some visitors will use a guest Wi-Fi network, but not everyone joins in. It can be easier to bring them all onto an LTE network, he said. This would be a particular plus in hotels, where Ruckus sells a lot of Wi-Fi networks today.
Before any enterprise can take advantage of the 3.5GHz band, of course, smartphones and other mobile devices will have to have radios that can use those frequencies. That will take a few years at least.
But for Ruckus, which today is a major supplier of unlicensed carrier equipment in the form of Wi-Fi, this new form of LTE in the newly opened band could be a big win. If the future of 3.5GHz is as bright as Ruckus believes, look for others to jump in, too.
In: Mobile Technology · Tagged with: 3G, FCC, LTE, LTE-U, WiFi
John Leyden, The Register, 2/1/16
Crooks want you to pay up on pain of severe embarrassment – and more
Miscreants have put together an especially pernicious strain of Android ransomware that threatens to bare your browsing history.
The so-called Lockdroid ransomware brandishes overlaid popups in order to trick marks into allowing the malicious code to gain admin privileges on targeted devices.
The clickjacking ruse works on devices running versions of Android prior to 5.0 (Lollipop), leaving an estimated two in three Android smartphone users at risk.
Once installed, the malware encrypts files before demanding a ransom. It posts up a fake message supposedly from the US Department of Justice saying that the mobile device has been locked after visiting sites containing unsavoury content but it can be unlocked after paying a “fine”, which in reality is an extortionate bribe.
There’s more than just the locked-up data at stake for any victims. Lockdroid snaffles a user’s browsing history and contacts list, before threatening to expose a victim’s potentially embarrassing browsing history by forwarding it to their contacts.
Lockdroid poses as a smut surfing app called Porn O’ Mania. The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites, according to Symantec.
Thanks to the admin rights privileges it seeks to gain, Lockdroid is also capable of locking the device, changing the device PIN, and deleting user data through a factory reset.
This extended spectrum of aggressive extortion tactics have been put into play by crooks as part of attempts to strong-arm victims into paying up.
A full writeup of the threat – including screenshots – can be found in a blog post by Symantec here. ®
In: Android · Tagged with: Malware
Lucian Constantin, ComputerWorld, 1/28/16
The app overlays system dialogs on top of the device administrator confirmation window and hijacks users’ clicks
File-encrypting ransomware applications that target Android devices are becoming increasingly sophisticated. One new such program is using clickjacking techniques to trick users into granting it administrator privileges.
Clickjacking is a method that involves manipulating the user interface in a way that allows attackers to hijack users’ clicks and trigger unauthorized actions. It is mostly used in Web-based attacks, where various technologies allow creating invisible buttons and positioning them on top of seemingly harmless page elements.
Due to the restrictive application permissions system in Android, ransomware apps targeting the OS have historically been less effective than on Windows. For example, many of the early Android ransomware threats only displayed a persistent window on the screen with an alert intended to scare users into paying fictitious fines. Most of them impersonated law enforcement agencies and claimed that the devices were locked because illegal content was found on them.
Over time more aggressive variants appeared that also encrypted files on the storage partition and were much harder to uninstall. However, to work as intended, these variants need “device administrator” access.
Enabling this feature requires confirmation from the device owner through a special “activate device administrator” dialog shown after an app is installed. To get users’ approval most ransomware apps — which typically masquerade as legitimate apps — rely on social engineering, for example by claiming that the higher access is needed for one of the functions they claim to provide.
According to researchers from Symantec, ransomware creators have now taken it to the next level. A new threat called Android.Lockdroid.E abuses the different types of windows that Android applications can trigger, they said in a blog post Wednesday.
Once installed, the Lockdroid.E ransomware triggers the device administrator activation dialog, but also displays a TYPE_SYSTEM_ERROR window with a message claiming that an additional component is being unpacked. Android displays this particular window type on top of all others, therefore covering the device administrator dialog.
After a few seconds, the app displays another window that uses TYPE_SYSTEM_OVERLAY and which also covers the device administrator dialog. This second window contains the message “Installation is complete” and a button called “Continue.”
The “Continue” button is actually fake because TYPE_SYSTEM_OVERLAY windows are not designed to receive user interface inputs like taps. However, it is perfectly positioned on top of the “Confirm” button from the hidden device administrator activation dialog.
Because of this, when users tap “Continue” the action is actually transferred to the device administrator window underneath, and specifically its “Confirm” button.
Starting with Android 5.0 (Lollipop) the two dialog types that this ransomware program abuses are no longer displayed on top of system permission dialogs like the one for device administrator. However, the bad news is that two thirds of Android devices still run versions older than 5.0, according to the latest statistics from Google Play.
“The malicious app is not found on Google Play and may be downloaded from third-party app stores, forums, or torrent sites,” the Symantec researchers said. “Users who have Google Play installed are protected from this app by Verify Apps even when downloading it outside of Google Play. Symantec advises users to only download apps from trusted app stores.”
In: Android, Mobile Technology, WinPhone · Tagged with: Malware
Steve Dent, Engadget, 1/22/16
The search giant released a patch anyway, though.
Google said that Android 5.0 and later devices, including its Nexus smartphones, are protected by a new layer of security called the Android SELinux policy, which prevents third-party applications from accessing the code. Furthermore, it said that “many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8,” ruling out a large percentage of older devices. Nevertheless, Google has released a patch that will be required on all Android devices with Google’s latest security standards. If you own a recent Android-based smartphone, expect to see the fix pushed to your phone in the coming days.
In: Android, Mobile Technology · Tagged with: Linux, Malware
Dan Goodin, ArsTechnica, 1/22/16
Vulnerability allows restricted users and apps to gain unfettered root access.
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can’t be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that’s executed by the kernel.
The vulnerability is notable because it’s exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux. While security mitigations such as supervisor mode access prevention and supervisor mode execution protection are available for many servers, and security enhanced Linux built into Android can make exploits harder, there are still ways to bypass those protections.
Update: In a post published a day after this post went live, Google said company researchers don’t believe any Android devices are vulnerable to exploits by third-party applications. It also said researchers believe that the number of Android devices affected is “significantly smaller than initially reported.” Google will nonetheless issue an update in March that patches the vulnerability.
“As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets),” Perception Point researchers wrote. “While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.”
While malware distributors have focused most of their resources over the years on infecting computers running Microsoft Windows, they have put increased focus on attacking competing OSes. In 2014, for instance, researchers uncovered a powerful Linux trojan that may have remained undetected for years as it siphoned sensitive data from government agencies and pharmaceutical companies. A vulnerability like the one reported by Perception Point can be the means for surreptitiously installing such malware. The bug is indexed as CVE-2016-0728. Major Linux distributions are expected to make fixes available as early as Tuesday.
In: Android, Mobile Technology · Tagged with: Linux, Malware
Nate Swanner, The Next Web, 1/19/16
Li-Fi is a concept you may not be familiar with, but there are indications Apple is toying with it for inclusion on future iPhones.
Using pulses of light to transmit information, Li-Fi receivers (like a future iPhone, if Apple has its way) will take in that transmission, then translate it into an electric signal.
Because it uses light to send data, Li-Fi may be found in the connected home via accessories like lightbulbs.
Apple’s work with Li-Fi compatibility has been spotted in code for iOS 9.1, which simply notes Li-Fi capabilities. There’s no indication elsewhere that Apple is working with Li-Fi.
But, there’s indication Apple has had Li-Fi in mind for a while. AppleInsider points to a 2013 patent application for a device that sounds an awful lot like a Li-Fi transmitter.
While I’m not expecting Apple to include Li-Fi in the iPhone 7 — mainly because the technology is barely being tested in the real world — it could help push Li-Fi forward by making iPhones compatible.
In: iOS, Mobile Technology · Tagged with: Li-Fi, WiFi
Yoni Heisler, BGR, 1/19/16
Recently discovered code in iOS suggests that Apple may be exploring the feasibility of incorporating Li-Fi functionality into future iPhone models. Li-Fi, in case you’re unfamiliar, is a technology capable of transmitting data via light. What makes Li-Fi so compelling is that it’s effectively Wi-Fi on steroids and can transmit data more than 100 times faster than a standard Wi-Fi connection.
In lab conditions, researchers this past February were able to achieve Li-Fi speeds of 224 gigabits per second, fast enough to download multiple HD movies in less than two seconds.
While Li-Fi still remains something of an experimental technology, iOS 9’s references to the blazing fast data transfer technology are certainly intriguing. The iOS 9 code below was originally discovered by iOS jailbreaker Chase Fromm and relayed by AppleInsider earlier today.
Li-Fi works in a way not entirely unlike a traditional infrared remote control. Data is transmitted by rapidly modulating a light source, and received with a light sensor before being reassembled into an electronic signal.
Unlike your television remote, Li-Fi uses visible light and the modulation happens in a manner imperceptible to the human eye: that means the same bulb that lights your hallway can act as a data access point.
Is this likely to be a feature with the iPhone 7? Not a chance. As it stands today, Li-Fi, despite its promises of speed, is still plagued with a number of limitations. At a base level, it can’t work through walls because, well, visible light can’t travel through walls. In this respect, Wi-Fi has a huge practical advantage. Not only that, but a Li-Fi enabled device needs to have a direct line of sight to an operational light sensor to operate. This operational limitation, however, does make Li-Fi a more secure transfer protocol than Wi-Fi. Today, Li-Fi is far from being a true Wi-Fi replacement, but it’s not out of the realm of comprehension that Li-Fi, in the future, may dutifully serve as a Wi-Fi supplement.
More broadly, the Li-Fi references in iOS 9 certainly affirm that Apple remains dedicated to exploring next-gen technologies for future use. Of course, the fact that Apple is already looking into Li-Fi shouldn’t come as much of a surprise. If we go back in time a bit, you might remember that Apple, with the original iBook in 1999, was the first company to ever release a laptop with built-in Wi-Fi.
For more information about Li-Fi, University of Edinburgh Professor Harald Hass in 2011 gave a TED talk on the technology he invented.
“All we need to do is fit a small microchip to every potential illumination device and this would then combine two basic functionalities, illumination and wireless data transmission,” Haas explained. “In the future we will not only have 14 billion light bulbs, we may have 14 billion Li-Fis deployed worldwide for a cleaner, greener and even brighter future.”
In: iOS, Mobile Technology · Tagged with: Li-Fi, WiFi
Monica Alleven, FierceWireless, 1/11/16
Make no mistake: AT&T certainly is thinking about 5G, even if its executives are urging the industry not to get too far ahead of itself before standards are written.
AT&T representatives recently met with FCC officials to discuss 5G as part of the commission’s proceeding on the use of bands above 24 GHz for mobile radio services. The FCC has proposed new rules for higher band spectrum, which is expected to play a bigger role in 5G than in any previous generations of mobile technology.
Specifically, the AT&T executives met with staff from the Wireless Telecommunications Bureau, International Bureau and Office of Engineering and Technology (OET) to present their vision, key issues and architectural concepts for 5G networks. Representing the OET were Julius Knapp, chief engineer, and Michael Ha, deputy chief. AT&T representatives included Joan Marsh, VP of federal regulatory, and Stacey Black, AVP of federal regulatory, and others.
AT&T’s presentation to the FCC discusses the diverging requirements supported by a multi-radio access technology (RAT) approach, including “extremely high speed mobile broadband and low speed IoT,” as well as simultaneous connections to multiple technologies, including LTE-A, unlicensed, and flexible new RAT design.
Another trend listed is the addition of new millimeter wave (mmWave) RAT for speed and capacity, estimated by AT&T to emerge around the 2022 timeframe. The concept includes self-backhaul to simplify short-range cell architecture. Network slicing is also expected to deliver “varied services to varied devices,” and SDN/NFV architecture will be a necessity.
The presentation includes discussion of key 5G concepts impacting RAN architecture, which includes the aforementioned self-backhaul, as well as transmission point (TP) groups for low latency transport or self-backhaul within a TP group and high latency transport between TP groups.
“5G specs should be designed to be distributed and virtualized,” and “avoid strict timing relationships to allow distributed implementation,” the presentation states. Functional splits also must be studied to understand what interfaces might be opened in standards bodies such as 3GPP, AT&T said.
The topic of 5G and the perception that competitors are moving faster than AT&T came up during a presentation during Citi’s recent 2016 Global Internet, Media and Telecommunications Conference in Las Vegas. Rival Verizon made a big splash in September when it announced it would begin 5G technology field trials in 2016. After that, AT&T executives made a point to downplay the significance of those efforts.
At the Citi conference, AT&T Senior EVP of Technology and Operations John Donovan indicated the operator doesn’t feel an urgency to move faster on 5G unless a better cost curve emerges.
“We are doing everything in 5G that everyone is doing,” he said, echoing comments by other AT&T executives. “We sit on the standards boards. We’re trialing the technologies. We’re trialing different flavors of the technology. We’ve earmarked cities for deployments early… We just haven’t been overly public because what we want to do is we want to keep the optionality of being early, mid- or on the back end, depending on whether we’re going to optimize to speed, capacity or cost. And right now, we’re laser-focused on that incremental cost per megabyte as the customers start to consume more and more video on wireless.”
In: Mobile Technology · Tagged with: 5G, AT&T, FCC, LAA, LTE-U, Verizon
Mike Dano, FierceWireless, 1/11/16
A top executive from the Wi-Fi Alliance said the group is making progress in its efforts to create a testing regime for LTE-U technologies, with the goal of creating some common ground between the Wi-Fi industry and the cellular industry over the controversial technology. However, he said it’s not yet clear when the association would finish its work and actually release a testing process for LTE-U; he said the group might announce a due date for that work during its upcoming meeting in February.
“We are working on the test regime now,” said Kevin Robinson, VP of marketing for the Wi-Fi Alliance, noting that stakeholders in the proceeding are having weekly meetings on the topic. “There is absolute alignment [in the technology industry] in determining a test regime [for LTE-U technology] and that the work would be done within the Wi-Fi Alliance… We’re the forum where they can have these difficult technical discussions.”
Importantly, Robinson also provided an outline of what the testing regime will look like for LTE-U. He said the association is working on three main elements for the testing regime:
1. Basic scenarios: Robinson said work on this portion of the regime is almost done, and that it would cover the basic process to test one Wi-Fi device and one LTE-U device that are nearby and using the same spectrum and network.
2. Low-energy detection scenarios. Robinson said this testing will look at the connection strength of various Wi-Fi and LTE-U devices, and determine how they will work alongside each other in various stages of weak signal strength.
3. Complicated scenarios. Robinson said the Wi-Fi Alliance will also create a testing paradigm for more complex situations where Wi-Fi and LTE-U devices might encounter each other, like densely packed sports stadiums and other high-traffic areas. Robinson made his comments here on the sidelines of the CES event, and noted that the Las Vegas Convention Center at the height of the CES show is an ideal example of the complicated scenarios the testing regime will cover. “Those are difficult tests to write and conduct,” he acknowledged.
Robinson said the goal of the testing regime, once complete, will be to determine whether there is “fair sharing” between Wi-Fi and LTE users in the same spectrum. He described “fair sharing” as whether one LTE user entering unlicensed spectrum would have “no worse impact” on an existing Wi-Fi user in that spectrum than would the addition of another Wi-Fi user.
To be clear, the testing regime is only the first step in a long process toward smoothing the disagreements between the Wi-Fi industry and the cellular industry over LTE-U, LAA and other such technologies designed to transmit LTE signals in unlicensed spectrum. Instead, the testing regime is only intended to create a common ground for discussions about the potential commercial rollout of LTE-U technology. So far, Robinson explained, some Wi-Fi proponents have cited testing result that they say show harmful interference from LTE-U technologies. Meantime, LTE-U proponents have cited their own tests showing the opposite. Thus, the Wi-Fi Alliance’s testing regime, once it is complete, is intended to allow industry players to conduct standardized tests on various LTE-U technologies to see if they do or do not impact Wi-Fi users.
LTE-U proponents last year initially rejected the Wi-Fi Alliance’s Co-Existence Evaluation Program for developing a comprehensive coexistence test plan. However, after a November workshop sponsored by the Wi-Fi Alliance that brought together about 100 people from 54 different companies, players ranging from Verizon to Google agreed on the need for additional clarity in the LTE-U specification, as well as broader testing and a commitment from stakeholders to collaborate.
The issue is critical to some wireless carriers: Verizon and T-Mobile have expressed a desire to roll out LTE-U in 2016, and AT&T, Verizon and T-Mobile are among the members of Evolve, a coalition launched in September to promote the benefits of unlicensed spectrum and new technologies like LTE-U and License Assisted Access (LAA). LAA is being developed as a standard through 3GPP.
The Wi-Fi Alliance plans its next invitation-only workshop on Feb. 10 in San Jose, and Robinson said at that time the group expects to announce when it will complete its testing regime.