QuadRooter: New Android Vulnerabilities
 

Source: http://blog.checkpoint.com/2016/08/07/quadrooter/

Re: QuadRooter: New Android Vulnerabilities
 

Now if we only had Android root for Jolla C and Intex Aqua Fish.
Did someone installed the QuadRoot scanner on Jolla phones yet?

Re: QuadRooter: New Android Vulnerabilities
 

Somebody have already did it:
https://together.jolla.com/question/...by-quadrooter/

Re: QuadRooter: New Android Vulnerabilities
 

wtf, where are exploits? i want to root my phone :)

Re: QuadRooter: New Android Vulnerabilities
 

What's is most secure: jPhones, iPhones or a random androids.

Re: QuadRooter: New Android Vulnerabilities
 

Had some complaints....

Keep it on-topic Dan, be respectful of the intent/focus of peoples threads.
Consider this your first & last non-infraction warning...

Not following this thread & most others, so rely on PMs or Post Reports of folks that play up.

Thank-you.

Re: QuadRooter: New Android Vulnerabilities
 

Instead of complaints. Can you bring anything good. When can we exclect Jolla to work this issue out with 3rd parties?

Or any link to patch.

https://www.checkpoint.com/downloads...rch-report.pdf

Re: QuadRooter: New Android Vulnerabilities
 

Dave, "exclect"?

Pardon the silly question, but what's all the fuss anyway? If I understand it correctly, all that QuadRooter can do is obtain a root access. Sure, it means it can alter or remove some of the preinstalled bloatware that you cannot remove by standard means but isn't it about it? All the sensitive stuff (your address book, photos, videos, other personal data, network access (that could cost you money if used maliciously)) is in the userland and you grant apps access to those willingly. At least on Android. On Sailfish, there is no such protection at all to start with.

Re: QuadRooter: New Android Vulnerabilities
 

QuadRooter it's about Qualcomm drivers (blobs) that are used by SailfishOS and Android at the same time.
My understanding is that a malicious user may gain root access at your SailfishOS as well. Or I'm wrong ?

Re: QuadRooter: New Android Vulnerabilities
 

The vulnerabilities seem pretty clear from the Checkpoint report, however this is also partly scareware; their business just is more or less bullying people into buying their intrusion deterring solution.

On a more-or-less standard Android device this attack might be rolled into a generic package that can take control of the device and either used to leak data or use it as a part of a botnet. However, if a poisoned application is run in Alien Dalvik on a SFOS device I believe it might have a hard time operating correctly since the Android layer is not similar to what is used in native Android devices.
It would probably (but I cannot be 100% sure of course) need to have a specially tailored version to be effective against SFOS devices. However, if such tailored attack is created, then it could also affect the native part of the system and not only the AD part of the system.

TLDR; probably you are safe in any case. If you do not install Alien Dalvik at all, you certainly are safe.

Re: QuadRooter: New Android Vulnerabilities
 

100USD for Jolla exploit. Anyone?

Re: QuadRooter: New Android Vulnerabilities
 

No, tanks I pass. But it would be nice if they updated drivers.

Re: QuadRooter: New Android Vulnerabilities
 

I wish this came out earlier so I could root my already sold BB priv and have some real use of the device.

Why folks in general so afraid of root? It's not root causing the breach it's the app that takes advantage of the root am I understand correctly? So even you are "affected" just don't install anything that you don't trust that's all.

Re: QuadRooter: New Android Vulnerabilities
 

But that's exactly my point! You do not need to exploit any vulnerability or become root to do any of the things you mention.

I know that especially Linux users like to think in terms of root vs non-root and yes, root can cause a damage to the system, but the days when the system was the part worth protecting are gone by at least two decades. Wake up to the 21st century, people. The system is replaceable. The bits that need protecting are your user data. Those do not need a root access to be compromised.

Again, my argument is that you are not safe. You might be safe from an overhyped threat of the week but you are totally unprotected against any potential malicious activity any native Sailfish application may want to do. (Case in hand: the flashlight app, the first Sailfish malware that sprung up just weeks after Sailfish was first released.)

Re: QuadRooter: New Android Vulnerabilities
 

Actually, on an unrooted & uncompromised Android device you cannot do that much damage or leak personal information;

Case in point, something like an year ago a friend asked me to backup messages from her device. The phone was unrooted older Samsung Galaxy model, and I had really hard time breaking into the darn thing to gain access to the messages without wiping the device in the process. (when bootloader is unlocked it would wipe it, and have you ever tried rooting a device when bootloader is locked, hmm...)
Anyway, only signed and trusted applications can access the personal information storage which is root accessible only.


On SFOS the thing is a bit different, all user private data is under the home directory and almost all of it is accessible with nemo user permissions. With a malicious application it is quite easy to mess up or exploit anything.
However you cannot (at least not easily) incorporate rootkit-like functionality into an application submitted to the Jolla Harbour as the needed library interfaces are not permitted in applications;
A rogue application might steal your data, but it cannot modify system so that it hides a backdoor and refuses to uninstall, for example.

All bets are off, of course when you install apps from other sources. That's why I have a simple rule for myself; only install what you yourself have built and check the projects for funny business before you do so.

Re: QuadRooter: New Android Vulnerabilities
 

Really? Then why does virtually every single game my kids install on their tablets have "access to your contacts" on their permissions list?

It may not be easy for you, the user, to access your own data. But it is easy for anyone else. Go figure.

Re: QuadRooter: New Android Vulnerabilities
 

About this I would like to know more!

WUT? See pichlo's comment above/below.

Re: QuadRooter: New Android Vulnerabilities
 

Well, when you install an application it will tell you what priviliges are required for it to run, right? I am not sure how the QC is set up at Google Play so is it possible to device an application so that it utilizes a capablity it does not advertise at install time.
If the device is fully locked down you can only install applications from the store that is installed to the device.

Re: QuadRooter: New Android Vulnerabilities
 

Exactly as you say: have "access to your contacts" on their permissions list

The applications CAN get your data if it says so in their permission list.
It has been stated so many times it is a bad practice to have any random fartapp and flashlight to request full range of permissions but the only thing an user can do is to not install the application.

I'd imagine it is probably not worth for Google to enforce application developers to only request minimum permissions needed for the application to operate

Re: QuadRooter: New Android Vulnerabilities
 

Not if Google itself churns out applications requesting the full shebang of permissions without any obvious reason. I mean, I can understand that e.g. Maps might want to read your location. But why on earth would it need an access to your call history or camera? :confused:

Regarding the case being discussed, sorry if I did not express myself clearly enough. I am not saying that every user application can compromise your identity (well, it can on Sailfish, but not on Android). I am saying that users want to run this fartapp, play this game or whatever and so they grant it whatever permissions it asks. Then, once installed, the application can do whatever it pleases with your sensitive data.

How is QuadRooter different? It also needs you to install something. As you correctly point out, it could potentially grant itself permissions not advertised at the time of installation, BUT the point is, you still need to install it first. So the would be attacker needs to make it look attractive enough to lure the users into installing it. This is where the hard work is: making the app attractive. Not exploiting the vulnerability. If the app looks attractive enough, users will give it whatever permission it wants. They mostly treat the warning box as a nuisance that stands in the way anyway and just click it through. To that class of users (i.e. about 99% of them), QuadRooter poses no additional risk than what they expose themselves willingly every day already.

Re: QuadRooter: New Android Vulnerabilities
 

Not exactly but almost.

A must-have-fartapp claiming it needs only access to the 'noise system' may get all the access it wants with that exploit.

Re: QuadRooter: New Android Vulnerabilities
 

No, and 1000 times no. The "library whitelist" in the Jolla Store basically exists out of some (in my opinion, as discussed almost two years ago, misguided) concern about binary compatibility with future SailfishOS versions.

It does absolutely nothing regarding security.

I mean, just look at what most people do to escape the library whitelist: statically link to whatever library they feel like.



Security in Sailfish basically comes to the separation between 3 users: root, privileged, and nemo.
- Root is "I just bricked your device by accident" level
- Privileged is "I can email your address book to china" level.
- Nemo is "I can convert your phone into a major spam-sending operations center, break havoc in all your other running applications, including reading their data (since you can ptrace them), but at least you may not be able to easily read the stock sailfish contacts database, and hopefully not brick the device".

Curiously enough it seems that all of this was done more to satisfy Exchange requirements than for security/privacy reasons.

Applications in the store are limited to the "nemo" level mostly because install scripts are forbidden (thus you cannot run stuff as root during install time, and therefore you cannot set the setuid bit on files).

This protection is not extended to random .rpm files. Those immediately get to the "root" level already during install time.

I have no idea how much sandboxing is done in AlienDalvik (it is proprietary) but my wild guess is also "none".

Re: QuadRooter: New Android Vulnerabilities
 

Sorry but also wrong.


There's still a _huge_ difference between "oh, perhaps this thing deleted all my documents" and "oh, perhaps this thing deleted all my documents, corrupted my word processor so as to silently capture all my future keystrokes and insert random typos and/or menacing insults, backdoor every other program, insert a non-removable piece of itself on my firmware, which will corrupt every future backup disk I insert on my computer while trying to restore my documents (worse: do it silently), propagate itself through my cloud backup systems (if I have any) to my other computers, corrupt any type of version history-like backup system (e.g. time machine) that would have allowed me to undo the actions of the malware, etc. etc. long etc.".

Things have not changed that much in the 21st century. Not in this area. It is one thing when malware/an accident can destroy your documents. It is another thing when malware/an accident can destroy your documents, anyone else's, and the operator's backups.

Re: QuadRooter: New Android Vulnerabilities
 

So much wrong here...

Can we do anything to to protect device other than not using jolla or android?

Re: QuadRooter: New Android Vulnerabilities
 

How is this related to "not using jolla or android"?
Or to any other system, maybe "not using iOS" also?

There is a simple rule that you should follow. Really simple, and it works perfectly; Just-Do-Not-Install-Crap-On-Your-Device.

Re: QuadRooter: New Android Vulnerabilities
 

Yes. We need a crapless device!

Re: QuadRooter: New Android Vulnerabilities
 

Yeah - it basically comes down to accepting random binaries from random people, which is really not a good idea unless you have a very good sandboxing.

And good sandboxing that does not reduce all applications to toys due to blocking critical functionality is hard...

That's why most "normal" Linux distros accept software to their repositories in a source form only & require it to built on the distro managed infrastructure. While this is also not foolproof (you would have to read & audit the complete source code of all the software you accept to be 100% sure), it's still much better than accepting random binaries.

I would kinda assume it at least does the standard Android sandboxing (running apps separately, each, under it's own user, etc.). On the other hand it is indeed proprietary, so all bets are off - they might as well have left it out to make the emulation easier/faster etc. And we have no way (well, no easy way) of checking for that.

Re: QuadRooter: New Android Vulnerabilities
 

use N3315 and your data safe, your contacts safe, win win solution.

Re: QuadRooter: New Android Vulnerabilities
 

I've halfway been expecting chipset exploits for quite a while. Exciting times we live in...

Re: QuadRooter: New Android Vulnerabilities
 

not a big issue... you can patch all the vulnerabilities... there's an app that let's you kno if your kernel is vulnerable http://blog.checkpoint.com/2016/08/07/quadrooter/ for android... same link from first post.

next... only owners with ancient OS"s will be really effected... too bad.

Re: QuadRooter: New Android Vulnerabilities
 

The problem is 90% of Android devices in use are running exactly those ancient versions of the OS.

Re: QuadRooter: New Android Vulnerabilities
 

seems like it gives our community "every Unix based OS" some thing to do... I know there's a few kernel devs out there... that wouldn't mind patching and releasing the security fixed kernel(s)... shoot even I wouldn't...