A veteran security researcher has found a security hole in the T-Mobile G1 phone, which runs Google’s Android software. Charlie Miller of Independent Security Evaluators in Baltimore told the New York Times that he was able to redirect the G1’s web browser to a malicious web site.
Miller, Mark Daniel and Jake Honoroff were able to hack the G1 just a few days after it started selling to big crowds on Tuesday night and Wednesday morning. Miller notified Google of the flaw this week and said he was publicizing it to warn smartphone users of the vulnerability.
The attack follows a familiar tactic for Miller, who has received a lot of press before because he was able to hack Apple’s Leopard operating system, the MacBook Air, and the iPhone. In each case, he was either the first one to crack the systems or partnered with someone who did. He was, for instance, able to hack the iPhone because it used the same vulnerable Safari web browser as the Macintosh computers. In that case, there was a known vulnerability but Apple didn’t include the fix for it in the iPhone. In another case, Miller and his fellow security researcher Dino Dai Zovi were able to hack Second Life because it depended on the vulnerable QuickTime movie player made by Apple.
The vulnerability of the G1, which is made by HTC, is disturbing in part because many companies hope to make phones based on Google’s Android software. Android consists of more than 80 different open-source software components. The vulnerability is there because Google didn’t use the most up-to-date versions of each component.
Google told the New York Times that it was aware of the problem but the security features of the phone would limit the extent of damage that hackers could do. This approach of “sandboxing” an application means that each one is isolated from the others. It’s necessary because just about anyone can upload a software application to Google’s Android Marketplace where users can download the apps to phones.
Miller’s trick allows someone to install software that can capture keystrokes on the phone, allowing the hacker to capture passwords typed into the phone. That’s a big problem because you can use the phone to access your email or other password-protected sites. Miller has not revealed the exact technical details from the hack, but hackers are likely to figure out what to do in the coming days. Google doesn’t have long to fix the problem.
Google naturally complained that Miller didn’t give them enough time to come up with a fix before going public with the flaw. The basic description of what they did is posted here.
Miller’s attitude has always been that if he can hack a system, others can do the same thing quietly and users are vulnerable in the meantime. Miller isn’t a so-called “black hat” hacker who breaks into systems for criminal purposes; he’s a security hacker and his company, Independent Security Evaluators, is frequently hired to do penetration research, or stage mock attacks to test the security of systems.
In a statement, T-Mobile said, “Google is working on a browser software patch for Android. We are coordinating with Google on a plan to soon deliver this update over-the-air to customers’ G1 devices. For people currently using the phone, we do not believe this matter will negatively impact their experience with the device.”
Google also issued a statement: “We treat all security matters seriously and will carefully work with
our partners to investigate and update devices periodically to reduce our users’ exposure. We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open source platform. The security and privacy of our users is of primary importance to the Android Open Source Project – we do not believe this matter will negatively impact them.”
I like the “negatively impact” wording. These guys are really in sync.