Late last week, we wrote about a newly-patched Linux security exploit dubbed DirtyCOW.
Super-simply, the attack works like this:
- Choose two files, one you can write to and one you can’t, and get the kernel to load them both into memory.
- Write over and over again into the file you’re allowed to change.
- At the same time, tell the kernel over and over again that it can borrow back the memory used for the file you can’t change.
- Wait a short while. (A fraction of a second in our tests on 32-bit Intel Linux 4.4.19.)
The vulnerability, officially called CVE-2016-5195, means that the kernel will eventually mix up the memory buffer that you’re writing into with the memory buffer you’re saying you don’t really need any more.
As a result, you get to overwrite the read-only file, which is something of a security catastrophe if it’s a critical system executable or configuration file.
This bug was in the Linux source code for the the last eleven years of kernel releases, and in theory affected every version on every platform during that time.
We only tested it on what you might call a “regular” Linux distribution (for Intel CPUs), but it turns out that DirtyCOW affects Android running on ARM chips as well.
That’s because Google’s largely proprietary Android ecosystem is built on top of the open-source Linux operating system, in much the same way as Apple’s macOS and iOS are built on a BSD-derived open-source core.
A Github user going by Timwr has published a proof-of-concept project that shows how to replace the Android program called run-as.
The idea of run-as is to allow an application to be run as if launched by a different user, just like Run As... on Windows.
That’s useful in development and testing, but it’s also dangerous because run-as automatically acquires root privileges when it starts, and can pass its rootness on to the apps it loads.
To keep things safe, the standard Google version of run-as therefore requires the user who started it to be root in the first place, as would be the case on a typical development or test device connected up for debugging.
Loosely speaking, then, you can use run-as to root a phone, but only if the phone is already rooted in the first place.
Clearly, replacing the admin-capable run-as program with a version that can be started by any user creates a gateway to root a phone permanently.
The risk of rooting
Google’s own Nexus and Pixel devices are sold so that they can be rooted if you like, and are thus commonly used by developers, but other vendors such as Samsung keep their phones locked down, Apple-and-Microsoft style.
As a result, rooting – like its close cousin jailbreaking on Apple phones – is a popular pastime for users who want to do things differently.
For many, it’s a way to remove what they see as vendor bloatware or to replace system apps with leaner, meaner or merely different variants.
For others it’s a way to apply security patches that the vendor hasn’t got round to yet, or to update phones that the vendor no longer supports at all.
And for some, sadly, it’s a gateway to piracy and other scofflaw shenanigans, including carelessly installing maliciously-hacked apps and making ill-advised configuration changes that introduce security problems that would otherwise have been avoided.
In particular, an app that can “get root” can work around the data sandboxing restrictions imposed on regular Android apps, and thereby access files such as logs, messages, databases and other possibly personally identifiable information (PII) that would usually be off-limits.
What to do?
If you genuinely want to root your vendor-locked Android phone, DirtyCOW could be a handy way to get the job done, at least until your vendor’s next security update – though on some devices, that might be a dangerously long time.
On the other hand, if you are a sysadmin looking after a menagerie of corporate devices, where the likely risk of rooting outweighs any potential benefits, you might not be so delighted at the prospect of easily-rooted devices.
Worse still, dodgy off-market apps sometimes secretly use root exploits to get more power than you agreed to give them at install time, which is a danger to any organisation’s network.
We suggest that you ask your Android phone vendors when their DirtyCOW updates will be available.
PS. Sophos Mobile Control can help you to keep rooted phones off your business network by detecting that they’ve been rooted and taking corrective action. That could range from a simple popup warning, through the automatic removal of corporate email, to a forced remote wipe.
Jimus Tsaplan
Generally I don’t recommend to system administrators rooting the employees devices. You never know what will you miss at the first setup. And YES indeed can harm the business network and maybe a bunch of computers. It’s always better to have a safe device, than tweaking these mini Android computers to your needs. If you just can’t live (work properly) with out it, just go for it, I am in.
Great article Paul Ducklin, nice sharing!
Darren Chaker
As consumer demand the latest and greatest increases to simplify life, security flaws continue to increase with it. I truly wish as the world gets more connected that companies puts its products through serious security evaluations prior to releasing the product. Best, Darren Chaker
Alan Robertson
I’m going to go out on a limb here and say that *** if you know what you are doing *** then a rooted device can be far more secure than an unrooted device.
For starters you can run a low level firewall that you can apply rules per application that allow you far more control over what can and cannot access the internet. Why should the android keyboard app have internet access? A low level firewall is only possible by rooting. “No Root” style firewalls work by proxying the traffic and are easily bypassed by malware using their own proxy settings. The same does not apply to a low level firewall.
Similarly, anti virus cannot truly function properly at removing stubborn malware as it doesn’t have root privileges to remove the malware. If you are unlucky to run an app that later turns out to be malware and the AV doesn’t have a current signature for it then you are stuck with the malware and cannot effectively remove it. Yes, don’t use third party app stores etc. but it’s not like Google’s app store hasn’t been caught out with malicious apps, is it? You could also argue that removing Google Play from the device and only sticking with the existing apps supplied by the manufacturer is safer still, but I doubt you will find many people willing to do this.
Also, what is that vendor supplied app doing on your device? The temptation to spy on users and sell the users habits to other companies is huge – especially if you can subsidise your device and make it cheaper for the consumer. Even if it is “just meta data” it can still reveal a lot about someone, and it’s not like your permission was sought prior to this being done. If the device is rooted then any unwanted apps that are installed by the vendor can be removed easily – again increases security.
If malware can use a zero day or some other undocumented feature to access root privileges, then it gains complete control of the device. A rooted phone, on the other hand *** with additional security added *** can thwart the attempts of malware and prevent your device from being owned.
As a side note, privacy guard is useful for preventing apps that request access to your personal data with blanket permissions.
VPN’s / Orbot are useful for protecting your data in transit by encrypting everything even if the apps / browser are not using TLS. Orbot works best with rooted devices as you can TOR everything as opposed to Orbot aware apps.
Choosing a good browser that respects privacy and allows you to change the settings to make it more secure is a good choice. Personally I favour Firefox, but then I’m an open source believer. Some useful Firefox settings:
General, Home, Addons, Only over Wi-Fi
General, uncheck Full-screen browsing
Search, remove Amazon, Qwant, Twitter, Wikipedia
Search, set Bing as default (Google asks for captchas all the time with Orbot)
Search, uncheck Show search history
Privacy, enable Do not Track
Privacy, make sure Tracking protection is checked
Privacy, Cookies, Enabled, excluding 3rd party
Privacy, check Clear private data on exit (select all – you need to choose quit!)
Privacy, uncheck Remember logins
Privacy, Telemetry off
Privacy, Crash Reporter off
Privacy, Mozilla Location Service off
Privacy, Firefox Health Report off
Notifications, disable What’s new in Firefox
Advanced, Restore tabs, Don’t restore after quitting Firefox
Advanced, disable Show web fonts
Advanced, Plugins, Touch to play
Advanced, disable Allow autoplay
Advanced, disable Remote debugging via USB
Advanced, disable Remote debugging via Wi-Fi
Install these addons / extensions (or whatever Mozilla decides to call them):
Canvas Fingerprint Blocker
HTTPS-Everywhere
No Resource URI Leak
NoScript
about:config
network.prefetch-next FALSE
Network.http.sendRefererHeader 0 (may cause problems with some sites)
geo.enabled FALSE
dom.storage.enabled FALSE
dom.event.clipboardevents.enabled = false
browser.sessionhistory.max_entries 5
privacy.resistFingerprinting TRUE (Right Click, New Boolean)
privacy.trackingprotection.enabled TRUE
media.peerconnection.enabled FALSE
browser.send_pings = false (usually already set but best to check)
webgl.disabled = true
dom.battery.enabled = false
“security.ssl3” switch all to false apart from:
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256
Other android settings that are useful:
Use a password and not a PIN number! Or if you are okay about using one of your digits and potentially having your biometric data being leaked then use a finger that’s not your index finger.
Settings, Notification access, App Notifications:
When device is locked, Hide sensitive notification content
Turn off “Show on lock screen” for all apps apart from the ones you want. (Stops casual snooping)
Security, Make passwords visible Off
Location Off
Turn off MMS auto download:
Messaging, preferences, settings, adavanced, Auto Retrieve MMS – Off, off, off!!! Nobody needs MMS and it is used with many other exploits like Stagefright.
In settings, security, trusted credentials.
Turn off all the CA’s apart from:
Comodo, Digicert, Geotrust, Globalsign, Go Daddy, Thawte, The Go Daddy Group and Verisign
Seriously, you don’t need the rest – try it. No offence to the Hong Kong post office but the number of CA’s is getting ridiculous these days.
Settings, data usage, click menu option, turn on enable data usage alerts and also apply network restrictions to your wifi connections (will warn if large files are being downloaded)
Lastly – patch your phone! It’s YOUR responsibility and not the manufacturers to make sure you are safe online. Nor is it your IT departments responsibility to protect you. More to the point, if your phone is compromised and the “bad guys” used your phone to pivot to the company SQL database which ends up on paste bin, well I’m afraid it’s your neck on the chopping block (and IT will happily oblige with log files proving it).
Mahhn
Alan, either you took a lot of time to write that, or you have some good configuration pages, that I would be happy to review.
Thanks
Alan Robertson
Hello Mahhn,
I’m just a tech head – that’s how I roll on the internet. Hopefully someone finds it useful! I’m a big Linux fan and I like the ethos of Sophos – particularly the no back door approach to security. I fully recommend the Sophos anti-virus on Linux as I don’t subscribe to the idea that Linux is immune to viruses. I would love to see more products by Sophos – keep up the good work guys!
cyber security salary
Really interesting Paul, wasn’t aware the nexus was sold with the option of them being rooted!
Paul Ducklin
You can turn on ADB (the Android Debug Bridge) to allow development access via USB and over a network, you can grant yourself access to a root shell, and you can unlock the bootloader to reflash pretty much any firmware you like. (At your own risk. The wrong firmware could crash the device so badly that you can’t reflash the firmware again, thus giving you an expensive brick.)
You use the { } Developer options menu item on the Settings screen, but you have to enable it first. Go to Settings | About phone/tablet, find the Build number item and tap it seven times.
ustechninja
I just wish more carriers would offer rooted versions of devices so devs didn’t have to exploit.