Will Verizon release a patch for the recently announced vulnerability of Android phones to hacking via text?
http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-wit…
That's only for the open source section none of the proprietary stuff. Like Sense, Touchwiz, etc. The RIL/HAL/Kernel are open source, but the code has to be accepted to ensure it doesn't break what manufacturers add.
Manufacturers have a fix, and Google has a fix. Google hasn't even patched their own Nexus devices other than the Play Nexus 6.
If you want to protect yourself for now until the fix comes. Turn off Auto-retrieve for MMS. Your phone can't process what isn't downloaded.
Bump. And add this question: What is Verizon's official response to the exploit called 'stagefright'? Is there a work around like many people are reporting (stop using Hangouts, turn off auto-retrieve of mms)?
There is a lot of FUD out there on many Internet forums caused by the announcement of an exploit that has been acknowledged by the vendor (Google) with no mention of a work around. Only that the patches have been created by the vendor.
-derry
+1
I habitually disable auto-retrieval of MMS, however I am very much considering not renewing with Verizon due to concerns over the speed of security updates. Considering today's technology, the concept of just upgrading devices over a few months old isn't going to combat the development of these security breaches. I would like to know if there is any official acknowledgement by Verizon and plans for how to roll out security updates for this issue and others, and there will be others without a doubt.
Further review of the issues; Stagefright Android Bug: 'Heartbleed for Mobile' But Harder To Patch (link)
Verizon what is your plan to fix this bug? This will not just go away if you ignore it. "Your security is important to us" is your tag line when we sign-in. This is day one and counting, when will you have a fix?
Google already made the fix and gave them to vendors, They now have to implement the fix and such. Unlike popular belief carriers don't touch code like the media spits out.
HTC already on record their next update will have it. No other vendor made a comment on it. T-Mobile officially stated it's up to the vendors to fix the exploit with their devices.
from the link provided in the OP
Wireless Carriers
T-Mobile: "These kinds of security fixes are usually released by our third-party device partners, so we're working with them to ensure those security updates have been deployed." Also, the company says, "You may wish to contact the device manufacturers directly, as they can tell you more about their specific plans for these security update releases."
Bump again. There should be a way to mark this sticky to keep it at the top of the topics list. I think this warrants full attention to the community.
To people saying 'have to wait on the vendor'. This is understandable but not what I'm asking for. I'd rather have a patch but I'm looking for an official statement from Verizon saying that 1.) they are working with the vendors x, y, and z to make a patch available. 2.) In the mean time we have a way to work around the issue and better protect yourself. Similar to the T Mobile statement. I don't think this is asking too much. No statement just adds to the uncertainty of the situation and will led to distrust of the company.
Also, it's disingenuous to say 'carriers don't touch the code'. Technically they don't touch the base code but they have a say on the software package being released. Otherwise I wouldn't get crapware on phones I've rented purchased through the carrier. VZ Navigator, VZ Protect didn't't show up on a phone because I installed them. If they want to get a patch out quickly it can happen.
Thanks
Derry
http://m.androidcentral.com/stagefright-exploit-what-you-need-know
+1 for Derry's interpretation of the Carrier/Manufacturer relationship. Understanding that this applies to all of the carriers where they have problems with providing releases. Verizon tends to drag it's feet the most to "do proper testing."
Has anyone seen any public acknowledgement by Verizon that this problem exists?
This looks like the issue has been in play since at least April and is just now hitting the news, so I assume Google kept it under wraps until they had the patch. I've been trying to watch the forums and the news outlets, and Verizon to catch any sign of an official acknowledgement, much less a plan for resolution; by code or by a manual work-around like disabling Hangouts or blocking unknown MMS messages.
I get that coding isn't magical and instant, but this is a serious issue that may allow someone to gain a foothold on my home network (or any work networks out there that people have connected their phones to). Unless I've misread the situation, the keys to the kingdom are kind of a big deal.
Following!
This is the very reason why I have stepped away from ever owning an Android device. Google has created a very broken update cycle that they refuse to correct with their OS. The sad thing is Google seems to feel as if they have been able to wash their hands of this just because they have released a patch. Well I am glad for that ... but how about step up and demand that all manufacturers/carriers release this major patch. Oh well...best of luck to you all!
No they do not touch code. Multiple manufacturer since 3 years ago have said they get the packages and such from the carriers in ADVANCED and the manufacturers put them in. Manufacturers charge for features and give options to carriers to opt in or out. The only if any code a carrier will touch would be the RIL and kernel because that needs carrier info for connectivity which also needs manufacturers approval.
Europeans understand this and yes they going through everything we go through and they get better support that's for some food for thought.
Why does the debate always come up about if the carriers do or do not manipulate any code? I do not understand why some have to always argue this....who cares if they do or do not? It seems that getting the fix in a timely manner is the only important factor here. Oh well I guess some like to argue for the sake of arguing.
The reason is because the false information being spread. It has to be corrected.
The only manufacturer to say they have a fix and will be pushing out the next update is HTC. No other manufacturer has said a word.
T-Mobile already pointed out its up to the manufacturers so bring it up with them. Verizon stays quiet until the updates are ready to push. Now if you think Verizon isn't going to let manufacturers push out fixes for their own devices. I bring up Heartbleed. They said nothing and updates were pushed by all manufacturers under the security fixes.
This very well may be a manufacturer update, but I don't think anyone on here really cares who codes the update. Heck, if it came from a Keebler elf, I don't think anyone would care. All anyone cares about is that it is released in a timely manner and that it works....everything else really does not matter. Also, carriers do have some abilities to make code changes, but as you stated they have to have permission from the manufacturer of the change.
Here's some more info. Some of it is piggybacking the 1st link i posted. Some of it isn't.
Stagefright: It Only Takes One Text To Hack 950 Million Android Phones
Hello, my name is Jacquette. I’m happy to assist you with your question regarding your device.
How can I help you today?
person: when do you expect to release a patch for the stagefright vulnerability described here:
person:http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/
Jacquette: That's a wonderful question, and I can most certainly take a look to see if anything about this issue or a fix is being reported at this time.
Jacquette: Allow me just a moment please to review.
Jacquette: Thanks so much for holding! From that article, I wasn't able to see that this issue is directly impacting Verizon Wireless customers, but I totally understand your concerns. Something that you may be able to do in order to prevent malicious activity on your phone would be to install an Anti-Virus application
Right and that's what I said, technically the don't touch the code. But they have a big say in the release of the code and what goes into a release package.
I agree. I'd just like a statement from Verizon to know what is going on. Oh well, I guess it's Lollipop all over again.
Ugh, that's disheartening. Sounds like the customers know more about what's going with on the issue than Verizon.
+1 -- need fix for Samsung Galaxy S4.
Actually they don't when it comes from security aspect of the device. HTC Heartbleed for example HTC pushed those out without carrier interference. Much like Samsung keyboard exploit they pushed out the fix through their push services which also updated their Knox security. No carrier is going to be held liable for an exploitation because they blocked the update from happening. Some food for thought.
Is the vulnerability related to the default message app that comes with the phone, either S4 or S5? If so, can the default message app be disabled and replaced with a safer app?
No... It's the OS level. Doesn't matter what message app you use. There is no safe app. What you can do is just disable Auto-retrieve and wait for the manufacturer(in your case Samsung) to issue a fix.
Latest news:
Google promises to fix Nexus devices starting next week.
CyanogenMod has already started issuing patches
Motorola forums has this information. Some devices have been patched with Lollipop updates.
HTC began rolling into projects in early July. All projects going forward contain the required fix. per NPR
Samsung: "Google notified us about the issue, and we are working to roll out the software update as soon as possible. Also from NPR.
T-Mobile: "These kinds of security fixes are usually released by our third-party device partners, so we're working with them to ensure those security updates have been deployed."
Also from NPR.
A point of emphasis is that this is not a Messages/Hangouts/MMS bug. Turn off auto retrevial of mms messages in your texting application. Tidbits has provided instructions in this thread on how to disable this feature.
Additional information to come out at next month's Black Hat security conference in Las Vegas, where he's scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.
-D
Also, don't retrieve messages from texts that you don't know who they came from. Practice safe texting and delete the message if you don't know the sender.
Latest information I received from Verizon Tech Support via a chat session: In Settings, go to Sound and Notification, select Application Notifications, then in each Messaging app, select Block Notifications. This should, repeat SHOULD prevent messages exploiting the Stagefright vulnerability from auto-opening when they hit your phone and launching an attack. You will still get messages, but will have to check the app periodically for new ones and manually open each one. Inconvenient but not terrible.
Already did this to my phones. Hope it works.
That makes sense. Sounds close to the nuclear option ( I suppose uninstalling all sms apps would be nuclear :smileyhappy:), sms is an important app for many people. Any word on a patch? I don't see everyone taking this step, at least for very long. Some of my family members live by sms.
Actually that doesn't. It will autodownload and as soon as you open that specific application it will still autorun. Your best bet is to turn off auto-retrieve so nothing is downloaded unless the user purposefully tap on that download button.
I just spoke to Tech Support and the line was that they are definitely working on something, but they do not have an ETA and that any updates will be on the Verizon Wireless front page as soon as they are ready.
I also submitted a official Network Security Incident which included a half dozen links to sites with information about the vulnerabilities.
Are we discussing the galaxy 6 edge vulnerability announced in the beginning of July, or a deeper can of worms affecting all androids?
As others have said, what they told you is incorrect. Disabling notifications will not disable the background processing that actually allows the exploit.
You need to disable auto-retrieval of MMS messages so that you have to manually click that Download button.
You are still vulnerable, but only if you manually download the message. No more magic hacks without you even knowing you received the message that hacked you.
I hope they stop giving out that advice as it provides a false sense of security.
If you disable notification you still get background processing WHEN you open the message. By having auto-retrieve off it allows user error when getting rid of messages you don't know where they are from.
How do you turn off auto-retrieve?
I think it's a different issue. This came out on Monday and has to do with an exploit of sending a video sms and taking control of the Android phone.
Check out the links in this post.
That's what I got, too. Verizon customer service is useless.
surprised that the verizon site does not mention the vulnerability. Also awaiting patch.
Why would Verizon announce the vulnerability that is within the programing of the phones? Google announced it because it was google's code that is vulnerable.
It has been stated here before that Verizon does not code the phones, they provide wireless service. The manufactures have the fix right now and when they are done with it they will release it to the carriers to get put on the phones.
Google announced it, but the carriers have to 'push' the patch to it's
customers, which costs them. They haven't offered it to their customers,
and whenever I talk to Verizon, they are either acting dumb and just
stick to their new-speak talking points, or they actually ARE pretty obtuse.
The group that discovered the StageFright bug are publishing the code in the next couple of days and I'd like to understand what Verizon is going to do to protect its users, especially since they don't seem to want to upgrade the firmware for phones that are older (2 years?)... I have a Note2 and still on 4.4 although 5 has been out for well over a year.
Actually there were cases where the vendor was allow to bypass the carrier for a security patch. Thanks to Tidbits for this info. But most customers, myself included, will come to Verizon because they are who I do business with for my cellular service. In my case it's up to Motorola to grab the 'bits' of code from Google, test it against their devices, and provide the necessary patches. Verizon then can either do the push to devices on their network or allow the vendor to provide the patch directly to the customer. I'm not sure exactly how the last part works though since I've never had this happen to one of my devices.
I am also very concerned about this. If not patched in a very timely manner, I feel I would have no choice but to abandon my preferred Android device and switch to IPhone. If Verizon and other carriers do not get with the program and start updating Android devices in a timely manner, it's going to cost them an AWFUL lot of money when millions of people stop buying Android phones...
GC73 wrote: I am also very concerned about this. If not patched in a very timely manner, I feel I would have no choice but to abandon my preferred Android device and switch to IPhone. If Verizon and other carriers do not get with the program and start updating Android devices in a timely manner, it's going to cost them an AWFUL lot of money when millions of people stop buying Android phones...
GC73 wrote:
Carriers make money off their services... If people don't want Android devices they'll get other devices. People will pay the same regardless of what carrier they are with. The only way carriers will lose any real money if people stopped getting cell phone services which people are so self reliant and caught up on the conveniences they'll never do it.
This is not a carrier problem but an operating system problem which means it should be in googles androids hands to get this fixed. This is no different than anything else out there if you do not use virus protection on your gadgets to keep them running bug free. This is nothing different than emails that have viruses now it is being pushed out to text messages and why you ask because they are almost the same thing as an email. So this is no surprise and does not bother me. For one I do not download attachments in emails or in mms messages in order for them to infect my phone or computer. Just use some sense and do not open things you do not know what is or who they are from. That will prevent any infection on your phone or computer. And with virus protection will also help in case you do make that mistake. Come on people this is not news I thought about this three years ago and thought it could be done. But I am not hacker and do not make or spread viruses as that is nothing but bad news. Anyone with a computer should of known this was coming. Operating system developers have got to get better with their software.
I believe carriers get higher profit margins, still, on Android phones versus iPhone, so they would still make money if people switch but possibly less. My point is that the prevailing sentiment is that carriers drag their feet on releasing updates because they view doing so as costly/unprofitable. If they stop making as much money on their phones, though, because people get upset or don't want to leave themselves vulnerable to this type of thing and switch to IPhone or something else the carriers have less control of, maybe the carriers will realize it's not profitable to neglect their customers. I really prefer Android but not if it leaves me open to this easy and serious an attack. I've turned off auto download of MMS messages for now, but that's an annoying and dubious long term solution.
GC73 wrote: I believe carriers get higher profit margins, still, on Android phones versus iPhone, so they would still make money if people switch but possibly less. My point is that the prevailing sentiment is that carriers drag their feet on releasing updates because they view doing so as costly/unprofitable. If they stop making as much money on their phones, though, because people get upset or don't want to leave themselves vulnerable to this type of thing and switch to IPhone or something else the carriers have less control of, maybe the carriers will realize it's not profitable to neglect their customers. I really prefer Android but not if it leaves me open to this easy and serious an attack. I've turned off auto download of MMS messages for now, but that's an annoying and dubious long term solution.
Never confirmed so treat it as hearsay. Like I said it isn't up to the carriers when it comes to security updates. EVERY security update that was needed outside the scope of an OS update has ALWAYS been handed out by the manufacturer. Show me one critical flaw that a carrier got involved and stopped the update from happening when the manufacturer wanted to push it out. Like I said before carriers DO NOT want to be held liable for anything because they withheld a patch for a critical flaw.
I'm also waiting for a fix from Verizon. Fixes to critical vulnerabilities like this should be released by Verizon as soon as possible after they are released.
My Verizon S5 received a security update 8/10/15. I had to initiate the download, it was not automatic. The update is believed, according to some cell forums, to address the phone's vulnerability to text hack.
BUMP again. Where's the answer Verizon? take time out from counting all your money and answer your customers.
mmmmkay?
Maybe I missed it, but I've only seen the single VZW response by ArnettH_VZW, which seemed more like a bot answer that wasn't following the basic reason for the post thread. LG's "Monthly Updates" commitment seems to have fallen down. My phone is still vulnerable to Stagefright as we close on two months from the announcement.
All that feet dragging that Verizon does to "Test the updates to make sure I get the best service possible." has really not paid off. It may not be specific to VZW, but I'm sorely tired by the constant reminder that I can either pick up a brand new phone every few months or the manufacturers and carriers really could not care less about me.
If it takes this long to deal with these issues after the code patch has been released, LG and Verizon have proven that I need to do everything *I* can to avoid their "Value Add" of bloatware, delayed security fixes, and a lot of finger pointing.
Thank you Verizon for not only leaving me out in the cold, but not even providing me information to help protect me.
I just updated my S6 with G920VVRU4BOG7 today (Sep 29) and three different detectors still say it's there.
Zimperium's Stagefright Detector tells which ones are there and which are cleared. It shows CVE-2015-3864 is still in the red as vulnerable.
Please, Verizon - please send the fix for this!
