Wednesday, August 5, 2015

Avoid StageFright by turning off auto retrieve for multimedia messages

An Austin hacker discovered a major flaw in Android's StageFright library. While waiting for your device maker to provide a fix, turn off automatic downloads for MMS.

Update August 13: Phone makers and cellular carriers are beginning to roll out updates to fix this vulnerability; see step-by-step instructions for checking for and installing updates.


Last week, Austin hacker / researcher Joshua Drake disclosed a fairly significant flaw in all versions of Android, whereby a malicious multimedia message (aka a video text) could take control of the phone. This is a hacker's dream in that it does not require the victim to do anything. Simply receiving a message can trigger the flaw, because most messaging apps will automatically download the message and have it ready to display. This is very similar to the "text of death" that affected iPhone users a couple of months ago, but with the potential to actually take control of devices rather than merely crash them.

Tonight he is presenting his findings at BlackHat, a major security conference in Las Vegas. He will release details of his findings, including proof of concept code demonstrating the flaw, at the end of his talk. With the demonstration code, any software developer could reproduce his research.


[ Update: shorty after posting this, the research and proof of concept code were published to Zimperium's blog ]

If the name Joshua Drake sounds familiar, it's because I have written of his work before. Known among the hacker community as "jduck," Joshua found a flaw in ASUS wireless routers that would let anyone with access to your local network take control of the router. Shortly after he published that work, I wrote a post with a temporary solution until ASUS released a firmware fix.

Fixing the root vulnerability is in the hands of your cell phone manufacturer and your cellular carrier. Google has already fixed its own Nexus devices. Samsung has announced plans to begin monthly security updates, as has LG. Other manufacturers are sure to follow at varying paces.

According to Joshua, the flaw can be exploited though a variety of methods including multimedia messaging, email, Bluetooth, USB, and a web browser. Most of those methods either require the victim to do something (click a link, open an email). Messaging is the exception.


While you wait for your phone maker and cellular carrier to provide a permanent fix, there is something you can do to reduce the risk: by default your messaging app likely downloads multimedia messages automatically so they are immediately ready when you open the app. You can change that behavior. You will still get notifications of new messages, and plain text messages will show up without any additional effort, but media messages will then require that you click to download the message.



Messenger (native Android app)


Step 1: launch your messaging app and open the "Settings" menu.

open the settings menu for your messaging app

Step 2: select the "Multimedia messages" option from the settings menu (for Android versions prior to 5.0, you can skip this step - the menu option from step 3 is actually in this menu).

For Android 5.0 or newer, open the "Multimedia messages" sub-menu

Step 3: Uncheck "Auto retrieve."

Turn *off* the option to Auto retrieve

This will not block every possible way this flaw can be exploited, but it blocks the most likely (and most dangerous) method.


Google Hangouts


If you use Hangouts, the same thing applies.

Step 1: open the Settings menu in Hangouts

Open the Hangouts Settings menu

Step 2: Click into the SMS sub-menu

Click into the Settings sub-menu

Step 3: Uncheck Auto retrieve MMS

*Uncheck* Auto retrieve MMS

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen