Fairphone patch for the Stagefright vulnerability

erikwesselius · July 27, 2015, 8:07pm

I just read this worrying article on ars technica about a dangerous vulnerability in the stagefright library and wonder if/when Fairphone will patch this serious Android vulnerability.

EDIT by moderator:
The answer is found here.

molemi · July 27, 2015, 9:11pm

This “mother of Android Vulnerabilities” found by Joshua Drake appears really worrying. He announces full disclosure at the Black Hat conference. By then there should be a patch! There must be! It seems an android phone can be highjacked without its owner noticing because the damaging MMS can delete itself after having installed its code. What can be more serious?

Kephson · July 28, 2015, 6:57am

But you can disable the automatic download of MMS messages, so you can prevent your phone to not download all MMS by default, see here:
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

For the Fairphone you can find this configuration in the SMS/MMS App:

For German phone language:
SMS/MMS App -> Einstellungen -> Multimedia-Mitteilung (MMS) -> Automatisch abrufen -> alle Haken raus!
and
SMS/MMS App ->
Einstellungen -> Multimedia-Mitteilung (MMS) -> Autom. Roaming-Abruf -> alle Haken raus!

For English phone language:
Messaging App -> Settings -> Multimedia Message (MMS) -> Auto-retrieve -> Disable all!
and
Messaging App -> Settings -> Multimedia Message (MMS) -> Roaming auto-retrieve -> Disable all!

I don’t know how many people are using MMS, but I don’t use this messaging service anymore. So this should be a good protection, but the bug have to be fixed!

Teejoow · July 28, 2015, 10:07am

If it’s that easy, why don’t I see this solution mentioned elsewhere? I’ve read about this bug on several tech sites but none of them say anything about a workaround.

Edit: Ah, Ars mentioned it. But as they point out this merely eliminates MMS as a vector.

anon90052001 · July 28, 2015, 11:56am

Hi all,

I am asking the software team about the situation on this vulnerability. It’s summer holiday time, so some team members are away, but I hope to get an answer for you soon.

Best,
Joe

anon41421263 · July 28, 2015, 12:26pm

How do you expect that to happen when there are zero details available (to maximize the hype)?

Turning off MMS auto-retrieval is probably fine for now, at least to protect against the vulnerability being triggered automatically, but who knows. It could be worse or it could be nothing but hype.

Ingo · July 28, 2015, 12:31pm

Isn’t it common practice for someone finding security issues to contact the project first and leave them some time to prepare patches before going public? The latter being a way to “forcing” the project to act if it wants to ignore the problem?

starfury · July 28, 2015, 2:00pm

Google has been informed and “confirmed the patches were accepted and would be included in a future release”

starfury · July 28, 2015, 2:11pm

MMS and their automatic download is only one vector to exploit that vulnerability on android phones.

Not really.
It improves security, but since “the weaknesses resides in Stagefright, a media playback tool in Android” MMS is only one possible way to bring malicious image-files onto a Android device. It could also happen through e-mail, surfing the web, or displaying images in an app (especially such with user-content like social-media apps).

martinv2 · July 28, 2015, 5:13pm

Someone at SlashDot suggested inserting

media.stagefright.enable-player=false

into build.prop. At xda-developers, they even posted

media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false

If that works, it should help for all apps.

anon41421263 · July 28, 2015, 7:06pm

that’s what the rest of the sentence you half-quoted was for. oh well

Stagefright shouldn’t have anything to do with the processing of images, just with video and audio. Of course, if you have other apps besides the stock messaging app that do processing (downloading is not enough) of untrusted video / audio content automatically and without user interaction, you might want to take care of that, too…

keesj · July 29, 2015, 7:55am

Hi,

just a quick note that we are aware of the problem and are working on a fix. This most likely will result in a new software update. We have to balance the current known risk with the possibility that more information gets known after the Black Hat presentation and we do want to prevent having to force our users to update twice. For short we are working on a fix but do not know yet when we will release it.

starfury · July 30, 2015, 10:42am

FYI: A new Android Media Server vulnerability was made public of which FP1[U] owners are safe because only Android version 4.3 and newer are affected.

Herve5 · July 30, 2015, 12:36pm

Some “toggle” app that would just do this (switching that property to false) would be welcome… But I’m not sure it’s easy to do, since the system is read-only by default.
In the meanwhile I adjusted the Autodownload feature following Kephson’s method.

martinv2 · July 30, 2015, 6:27pm

There’s a build.prop Editor in the Google Play Store. Quote: “Root and busybox are required for this app to work correctly” - Yeah, we do have that…

That said, I have yet to see confirmation that these setting mitigate the StageFright issue. But it sure looks like it.

Jerry · August 1, 2015, 10:16pm

So it looks like we’ll be getting a fix for this. You know, I love that little fact because it shows that despite being stuck to Android 4.2, FP1 owners are still better off than people who have “A-brand” phones that are stuck on 4.2 as well (or even 4.3 and 4.4)

Rob_van_der_Does · August 2, 2015, 4:31am

Although I loathe the fact that we will be stuck on 4.2 my main concern was indeed about security. So this sounds promising indeed!

retrovertigo · August 2, 2015, 1:30pm

See the disclosure timeline at the end of this post from Trend Micro http://blog.trendmicro.com/trendlabs-security-intelligence/mms-not-the-only-attack-vector-for-stagefright/

Jerry · August 3, 2015, 4:17pm

I understand all image processing is compromised, also stuff you receive via WhatsApp or similar applications. You can turn off auto-download in WhatsApp as well though (settings -> chat settings -> media auto-download -> set everything to “no media”)

plubmup · August 5, 2015, 7:17pm

A fix via the software update should really be supplied by the fairphone team as not all users will act on their own.

This update should happen better sooner than later, as browser and MMS are affected from this bug and turning off active MMS fetching does only reduce the risk slightly, as malicious MMS can still be fetched by a naive user.

@anon90052001: Your update is 8 days old: Please keep the community updated. We depend on you and can not act on our own behalf, as the source code of your OS is still (and as far as I know) never will be, really open.