Hacker finds a security hole in the Google Android software on the T-Mobile G1

October 25, 2008 | Dean Takahashi | Comments |
|

A veteran security researcher has found a security hole in the T-Mobile G1 phone, which runs Google’s Android software. Charlie Miller of Independent Security Evaluators in Baltimore told the New York Times that he was able to redirect the G1’s web browser to a malicious web site.

Miller, Mark Daniel and Jake Honoroff were able to hack the G1 just a few days after it started selling to big crowds on Tuesday night and Wednesday morning. Miller notified Google of the flaw this week and said he was publicizing it to warn smartphone users of the vulnerability.

The attack follows a familiar tactic for Miller, who has received a lot of press before because he was able to hack Apple’s Leopard operating system, the MacBook Air, and the iPhone. In each case, he was either the first one to crack the systems or partnered with someone who did. He was, for instance, able to hack the iPhone because it used the same vulnerable Safari web browser as the Macintosh computers. In that case, there was a known vulnerability but Apple didn’t include the fix for it in the iPhone. In another case, Miller and his fellow security researcher Dino Dai Zovi were able to hack Second Life because it depended on the vulnerable QuickTime movie player made by Apple.

The vulnerability of the G1, which is made by HTC, is disturbing in part because many companies hope to make phones based on Google’s Android software. Android consists of more than 80 different open-source software components. The vulnerability is there because Google didn’t use the most up-to-date versions of each component.

Google told the New York Times that it was aware of the problem but the security features of the phone would limit the extent of damage that hackers could do. This approach of “sandboxing” an application means that each one is isolated from the others. It’s necessary because just about anyone can upload a software application to Google’s Android Marketplace where users can download the apps to phones.

Miller’s trick allows someone to install software that can capture keystrokes on the phone, allowing the hacker to capture passwords typed into the phone. That’s a big problem because you can use the phone to access your email or other password-protected sites. Miller has not revealed the exact technical details from the hack, but hackers are likely to figure out what to do in the coming days. Google doesn’t have long to fix the problem.

Google naturally complained that Miller didn’t give them enough time to come up with a fix before going public with the flaw. The basic description of what they did is posted here.

Miller’s attitude has always been that if he can hack a system, others can do the same thing quietly and users are vulnerable in the meantime. Miller isn’t a so-called “black hat” hacker who breaks into systems for criminal purposes; he’s a security hacker and his company, Independent Security Evaluators, is frequently hired to do penetration research, or stage mock attacks to test the security of systems.

In a statement, T-Mobile said, “Google is working on a browser software patch for Android.  We are coordinating with Google on a plan to soon deliver this update over-the-air to customers’ G1 devices.  For people currently using the phone, we do not believe this matter will negatively impact their experience with the device.”

Google also issued a statement: “We treat all security matters seriously and will carefully work with
our partners to investigate and update devices periodically to reduce our users’ exposure. We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open source platform. The security and privacy of our users is of primary importance to the Android Open Source Project – we do not believe this matter will negatively impact them.”

I like the “negatively impact” wording. These guys are really in sync.

Next Story:
Previous Story:

Email
Print
Bookmark
Google
Delicious
Facebook
Twitter
StumbleUpon
MySpace
Digg
Live
More…

Tags: , ,

Photo of Dean Takahashi

About the Author, Dean Takahashi

Dean is lead writer for GamesBeat at VentureBeat. He covers video games, security, chips and a variety of other subjects. Dean previously worked at the San Jose Mercury News, the Wall Street Journal, the Red Herring, the Los Angeles Times, the Orange County Register and the Dallas Times Herald. He is the author of two books, Opening the Xbox and the Xbox 360 Uncloaked. Follow him on Twitter at @deantak, and follow VentureBeat on Twitter at @venturebeat.

  • nYtel Vlanderfall
    To be honest, this article explains one reason why I choose not to embrace the Android operating system. If the software marketplace is this open, and applications are not screened before publishing, who knows what you are getting into. I don't want applications that are malicious. Who knows, that awesome "GPS utility" I downloaded could be the next way for hackers to find anyone they desire, and be a serious threat... In any event, there should be a little more discernment when it comes to allowing just any application to be posted online. That's just my 2 cents...
  • David
    your argument could just as well be used for computers ... or even real life in general. there are many computer users, young and old, mac or windows, who could just as likely install a malicious app without their intent. A phone should (and eventually will be) treated no differently than a general purpose computer. Thankfully so! why don't we have microsoft or apple "discern" what applications are appropriate for our computers? They hold just as sensitive data and can be even more critical. Every new piece of technology adds complexity AND risks to our lives. If you can't understand that, you shouldn't take part. Otherwise, we are just sheep.
  • Miron
    May be you missed the past 5 years in software design evolution.
    BTW, they did not create anything "new". OS in palm sized devices offering phone capabilities have at least 1/2 decade history or more. In sofware world this is eternity. Besides, this is the first product I know off that user need to pay for from Google. Everything else was arguably "free" and there is a huge difference between "free" and "reasonably priced"
  • gabe
    actually there have been a few, mostly related to upgrading storage size, but also the enterprise version of google apps is a user-paid service from google.
  • LucidGoldfish
    Linux is very secure, and anyone can make an application for that... in fact that is the whole point of open source. All in all open source is pretty safe, I personally prefer this type openess and freedom. I don't want a company able to tell me what I can and cant run on my phone or computer. Look at the iPhone, you can't even have a video app, without jail breaking the phone. (this is not due to security, it's do to control, and ultimately more money) I would just prefer an open platform in the first place. If you want hand holding, and restrictions, stick to apple, if you want robust open platforms, where you get to choose what you want, an android OS phone is probably your best bet. To give you an example of how open source is stable and secure, take a look at OSX. This was based off of free BSD, which in turn came out of UNIX, Apple took the benefits of stability and security, and based it's OS on it.
  • Well, i am not surprised that a security hole has been found. in such a large software system, it is quite expected that something could have gone unnoticed in terms of security.
    The main thing to watch out is what action Google takes. Obviously they will take action, but will it be a quick one, will it convince people that Google is serious about security?
    Earlier it was usually only Microsoft which use to bear the brunt of the journalists and others because of the huge install base of their operating system. But now we have the Apple as well as Google in the game as well. It will be interesting to see how these companies handle such reports.
  • kappen
    you think the iphone store is much better? how many times have we seen whole applications that were very obvious what they do come up on the store only to be ripped down by apple once they figured out what they did.
  • Jesh
    Buy an iPhone!!
  • Gabe
    Iphones are just going to be bricked when the new one is released. Propriety software for inexperienced users. Everyone I know who has an iPhone and compares it to my G1 wants what I have. You just need to understand the difference between the two. That doesn't mean the iPhone's bad, just that Android based phones are better. To say that any device that uses the internet is secure is about as ignorant as it gets. There's no such thing. Get a clue. Google obviously knew about the flaw when they released. They're still in Beta version.
  • lordastral
    In my opinion, this is the inherent problem in turning everything into a computer. Why exactly do you NEED a fricking computer in a cellphone anyway? Use the cellphone to talk, use a computer to compute. And when you have a complex operating system, then you are asking for the risks inherent in such a complex program.

    Google will fix the flaw, and another one will be found, and they will fix that one, and on and on it will go, ad nauseum.

    Don't want a vulnerability like this? Well, then don't buy one. Heck, I don't even own a cell phone. If I need to make a call that badly, I use a couple of quarters and use a pay phone. And I get the peace of mind of knowing I won't be distracted while driving.
  • louie
    Where is there a pay phone ? Where ??
  • Gabe
    Wake up from the caveman era. Why drive, fly planes, or use a computer then? Quit being so scared of technology. It's time to grow up and understand the benefits of moving forward, not remaining in the past.
  • Jessie
    HAHAHA GOOGLE SUCKS!!!
  • Mark
    To refer to Safari and QuickTime as "the vulnerable Safari" and "the vulnerable Quicktime" is a tad unfair. Name piece of software that isn't on SOME level "vulnerable" to a team of professional security experts who spend 50+ hours a week scouring code for holes. What the article doesn't say is that these guys are very, very good. They are not your average 21 year old garage hacker. What matters is how big the "vulnerability" is to malicious hackers in the REAL WORLD, the likelihood of whether or not it would have ever been found or exploited, and the extent of the damage that could be caused; something this article doesn't even address.

    This article doesn't tell us how much damage would really be done were it to be exploited. Can this keystroke capturing be done on a large scale across the internet? Or does the hacker need access to the hacked phone in order to read the data that was captured? I can hack Firefox's icons and font choices on my girlfriend's laptop on my little home network. Does that mean I can call Firefox "vulnerable"? Of course not. Because it's irrelevant; I can't do this through the internet to millions of users.

    QuickTime and Safari are very solid applications. But if one spends long enough beating at their code, they can and will find something they can mess with. The day an app is 100% invulnerable- to this type of hard core hacking- is the day it has outlived its utility.

    It would be nice to know whether this type of thing is really something to care about, or wether it's just hype. Just a thought.
  • Alan Burns
    What the author meant is that the hacks were successful thanks to the versions of safari and quicktime used being vulnerable. He did not intend to imply that the software, in general, was vulnerable to attack, only those older versions which have since been patched. At least, that's how I interpreted it.
  • Greg
    Gabe,
    I have seen the new G1 phone, I would not trade my iPhone for it. The iPhone is a polished, reliable device that does what it is supposed to do, and does it well mind you. The G1 reminds me of the instinct from sprint, just a second rate copy trying to play with the big boys.
  • seamonkey
    The iPhone is just for people who want a shiny pretty device with no real substance. "I don't want to think about downloading programs, I'll just keep paying money to the APP store and iTunes"

    Keep paying your money away to Apple...
  • Ferhat
    A vulnerability accessing the Internet? That will be fixed. Than someone will come up with another vulnerability... That's the game.

    That said, I gave up on iPhone after using it for 6 months and got the G1, the iPhone has the most troublesome design issue I've ever seen in a cell phone: it can't be used single handedly.
  • Redfox
    The iPhone is total crap. Between Apple's relentless software restriction's and their ever-increasing ideas on how to charge for things that should be free, it's not worth its own updates, which btw have a 1 in 7.5 chance of erasing your personal data :( Google should start a political party and run for President. I think it'd be fun. But for now, the G1 is awesome, and Google needs to continue putting more of their inovation into the cell market.

    And for those naysayers, compare the few things/problems that will inevitably be found on the G1 with the mountain of flaws on the 1st gen iPhone, or even those of the "new" 3G version!!!! And then say something $&%$&!!! :) lol
  • edhardy622
    UGGs became ubiquitous among Southern California surfers and Southern California downhill skiers, and from there, Uggs, which name comes from the Australian
    http://www.uggboots365.co.uk
blog comments powered by Disqus