Analysts at ISE have identified and exploited a security vulnerability in the Android operating system allowing a remote adversary to gain control on the device with the same permissions as the web browser application. A successful attacker will have access to information such as cookies used for accessing sites, information put into web application form fields, and saved passwords, and can alter the way in which the browser works, potentially tricking the user into entering sensitive information.
UPDATE: A story in the New York Times about this work is available here.
Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators identified and exploited a security vulnerability in the Android operating system. The Android operating system, developed by Google, is open source and has many rich features specifically designed for cellular phones, such as web browsing, camera, GPS, and accelerometer control. The first commercial phone with the Android operating system, the T-Mobile G1 by HTC, is available as of October 22, 2008. These phones will currently ship with the vulnerability present and may pose a security risk to their users until an update becomes available.
Android is based on over 80 different open source packages. The vulnerability is due to the fact Google did not use the most up to date versions of all these packages. In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version. So as not to inform the "bad guys", we will not release any further information on the particular vulnerability or software package until a fix is available.
A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes. This exploit will not be released until a fix is available.
The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here.
Working with Google
Google was notified of this issue on October 20th, 2008. We are working with them to try to get a fix as quickly as possible.
We can be reached by phone at 443-270-2296.