What if an attacker gained system level access to your mobile phone? What could they achieve with that data? In light of recent new Android vulnerabilities, this is no longer a purely theoretical exercise.
Stagefright was published widely on 27 July (by Zimperium), and there are implications (by Trend Micro & comment section) that it has been out in the wild for considerably longer. Among its potential attacks are reading / writing files with same privileges OS mediaserver has.
It is fair to assume that over time a commonly available exploit will be made available that allows either system level read access or screen scraping, both enough to gather critical information for further, more profitable attacks.
Trend Micro claims they know of no publicly available attacks so far.
Why should this concern you?
Root access to your mobile phone means your following identity resources are likely to be compromised:
- Multi-Factor Authentication (MFA) keys
- password manager is accessible as soon as you enter the password even once.
- your PKI private keys.
With these resources, the damage potential is staggering:
- Full control of your cloud infrastructure is now in attackers hands if they have your MFA key and login credentials. We recommend all our customers read the AWS security advisory concerning Stagefright.
- PKI private key in attacker hands gives them access to secure servers, and to all of your incoming encrypted email communication with that private key.
- All your passwords in attackers hands, granting access to all the services stored within that password manager.
Given the damage potential, we recommend immediate action to mitigate the attack potential, and to reduce the damage in case your credentials are already lost.
Mitigate the MMS attack vector.
- Ensure the device is clean before anything else – if nothing else, reset to factory defaults.
- Disable MMS-messages. Email is still a potential carrier, but at least emails do not get preloaded automatically.
- Always keep the device OS up to date. Some of the largest device distributions received their patch last night (ZDNet) after a week of waiting.
- Set up mobile security software to gain earlier warning to these attacks. (It is not surprising that both Zimperium and Trend Micro sell a product that does just this)
Reduce damage potential of next stage attacks.
- Rotate all credentials you have used from your Android phone. AWS security advisory recommends rotating all their AWS credentials that were used / stored on an Android device since July 25, 2015
- Revoke and regenerate your MFA keys managed on the device.
- Revoke your PKI keypair.
Since the published vulnerability is recent, it is unlikely that you or your administrators have been targeted unless you and your company are in a high impact, high visibility position. Taking the above steps without resetting your phone should be enough. However, it is probably worth considering these issues organization wide and ensuring that nobody is no longer vulnerable to the attack.
While this specific vulnerability will be patched within few weeks or months on all up to date devices, it is certain that similar attacks will be discovered given the current pace of new feature additions to mobile operating systems.
More secure processes to avoid this in the future.
- Do not store your private key on your phone
- Use separate devices for managing MFA keys and the related passwords.
- For AWS users: Do not log in to AWS console using your phone.