Fairphone patch for the Stagefright vulnerability

I just read this worrying article on ars technica about a dangerous vulnerability in the stagefright library and wonder if/when Fairphone will patch this serious Android vulnerability.

EDIT by moderator:
The answer is found here.

3 Likes

This “mother of Android Vulnerabilities” found by Joshua Drake appears really worrying. He announces full disclosure at the Black Hat conference. By then there should be a patch! There must be! It seems an android phone can be highjacked without its owner noticing because the damaging MMS can delete itself after having installed its code. What can be more serious?

But you can disable the automatic download of MMS messages, so you can prevent your phone to not download all MMS by default, see here:
https://www.twilio.com/blog/2015/07/how-to-protect-your-android-device-from-stagefright-exploit.html

For the Fairphone you can find this configuration in the SMS/MMS App:

For German phone language:
SMS/MMS App -> Einstellungen -> Multimedia-Mitteilung (MMS) -> Automatisch abrufen -> alle Haken raus!
and
SMS/MMS App ->
Einstellungen -> Multimedia-Mitteilung (MMS) -> Autom. Roaming-Abruf -> alle Haken raus!

For English phone language:
Messaging App -> Settings -> Multimedia Message (MMS) -> Auto-retrieve -> Disable all!
and
Messaging App -> Settings -> Multimedia Message (MMS) -> Roaming auto-retrieve -> Disable all!

I don’t know how many people are using MMS, but I don’t use this messaging service anymore. So this should be a good protection, but the bug have to be fixed!

7 Likes

If it’s that easy, why don’t I see this solution mentioned elsewhere? I’ve read about this bug on several tech sites but none of them say anything about a workaround.

Edit: Ah, Ars mentioned it. But as they point out this merely eliminates MMS as a vector.

2 Likes

Hi all,

I am asking the software team about the situation on this vulnerability. It’s summer holiday time, so some team members are away, but I hope to get an answer for you soon.

Best,
Joe

3 Likes

How do you expect that to happen when there are zero details available (to maximize the hype)?

Turning off MMS auto-retrieval is probably fine for now, at least to protect against the vulnerability being triggered automatically, but who knows. It could be worse or it could be nothing but hype.

1 Like

Isn’t it common practice for someone finding security issues to contact the project first and leave them some time to prepare patches before going public? The latter being a way to “forcing” the project to act if it wants to ignore the problem?

Google has been informed and confirmed the patches were accepted and would be included in a future release

MMS and their automatic download is only one vector to exploit that vulnerability on android phones.

Not really.
It improves security, but since “the weaknesses resides in Stagefright, a media playback tool in Android” MMS is only one possible way to bring malicious image-files onto a Android device. It could also happen through e-mail, surfing the web, or displaying images in an app (especially such with user-content like social-media apps).

Someone at SlashDot suggested inserting

media.stagefright.enable-player=false

into build.prop. At xda-developers, they even posted

media.stagefright.enable-player=false
media.stagefright.enable-meta=false
media.stagefright.enable-scan=false
media.stagefright.enable-http=false
media.stagefright.enable-rtsp=false
media.stagefright.enable-record=false

If that works, it should help for all apps.

1 Like

that’s what the rest of the sentence you half-quoted was for. oh well

Stagefright shouldn’t have anything to do with the processing of images, just with video and audio. Of course, if you have other apps besides the stock messaging app that do processing (downloading is not enough) of untrusted video / audio content automatically and without user interaction, you might want to take care of that, too…

Hi,

just a quick note that we are aware of the problem and are working on a fix. This most likely will result in a new software update. We have to balance the current known risk with the possibility that more information gets known after the Black Hat presentation and we do want to prevent having to force our users to update twice. For short we are working on a fix but do not know yet when we will release it.

7 Likes

FYI: A new Android Media Server vulnerability was made public of which FP1[U] owners are safe because only Android version 4.3 and newer are affected.

Some “toggle” app that would just do this (switching that property to false) would be welcome… But I’m not sure it’s easy to do, since the system is read-only by default.
In the meanwhile I adjusted the Autodownload feature following Kephson’s method.

There’s a build.prop Editor in the Google Play Store. Quote: “Root and busybox are required for this app to work correctly” - Yeah, we do have that…

That said, I have yet to see confirmation that these setting mitigate the StageFright issue. But it sure looks like it.

So it looks like we’ll be getting a fix for this. You know, I love that little fact because it shows that despite being stuck to Android 4.2, FP1 owners are still better off than people who have “A-brand” phones that are stuck on 4.2 as well (or even 4.3 and 4.4)

3 Likes

Although I loathe the fact that we will be stuck on 4.2 my main concern was indeed about security. So this sounds promising indeed!

1 Like

See the disclosure timeline at the end of this post from Trend Micro http://blog.trendmicro.com/trendlabs-security-intelligence/mms-not-the-only-attack-vector-for-stagefright/

I understand all image processing is compromised, also stuff you receive via WhatsApp or similar applications. You can turn off auto-download in WhatsApp as well though (settings -> chat settings -> media auto-download -> set everything to “no media”)

A fix via the software update should really be supplied by the fairphone team as not all users will act on their own.

This update should happen better sooner than later, as browser and MMS are affected from this bug and turning off active MMS fetching does only reduce the risk slightly, as malicious MMS can still be fetched by a naive user.

@anon90052001: Your update is 8 days old: Please keep the community updated. We depend on you and can not act on our own behalf, as the source code of your OS is still (and as far as I know) never will be, really open.