Breaking Android Episode 16: News and Views

BreakingModern – Welcome to episode 16 of Breaking Android. I’m your host, Mat Lee. Today on the show, I cover Microsoft’s tossing some cash in the CyanogenMod, Inc. hat and a W-Fi Direct bug that could allow remote attackers to hack your device. Plus, I explain why the FTC fined TracFone to the tune of $40 million. Check out our Android news show and find detailed show notes below the fold.

First up, the Wall Street Journal is reporting that Microsoft is going to throw some cash flow in for the latest round of equity financing that values Cyanogen in the high hundreds of millions of dollars. I thought this was kind of odd at first, but considering what Cyanogen CEO Kirt McMaster said at The Information’s “Next Phase of Android” event, it makes a little more sense.

McMaster introduced himself at the event by saying, “I’m the CEO of Cyanogen. We’re attempting to take Android away from Google.”

When asked to be a little more specific, McMaster explained that Cyanogen wants to provide a version of Android that is open down to its core, that partners can use to build highly integrated services, in a way that is not possible right now with Google’s Android.

“We’re making a version of Android that is more open so we can integrate with more partners so their services can be tier one services, so startups working on [artificial intelligence] or other problems don’t get stuck having you have to launch a stupid little application that inevitably gets acquired by Google or Apple. These companies can thrive on non-Google Android.”

Personally, this feels like we just leapt five feet closer to the singularity device. A dual boot Cyanogen Android/Windows Phone monster. If you happen to actually see one of these beasts in the wild, make sure to put it out of our misery.

Next up, remember Wi-Fi Direct? ZDnet is reporting that a bug in Wi-fi Direct allows a remote attacker to reboot your phone. Some sites are calling this a remotely exploitable Denial of Service vulnerability. Personally it reminds me of the old windows 98 con/con blue screen command. Good times, good times.

If you don’t know, Wi-Fi Direct is a standard that allows wireless devices to connect directly to each other. Networking, minus the network. Once connected, you can share stuff at near Wi-Fi speeds, and communicate between the two devices. It can also be used with cameras, printers, and other more common computing appliances.

Sounds like bad news bears, but is it? The bug was first discovered by Andres Blanco from the Core Security team back on September 26th, 2014. Four months later, Google and Core Security still completely disagree about the severity of the vulnerability.

In what seems like a move straight out of the Firesheep playbook, Core Security went full disclosure on that bug, which as we all know is the best way to force a large tech giant to deal with their glitches.

Remember what happened shortly after Firesheep was released into the wild, enabling every Tom, Dick, and Harry to Session Hijack like a pro? Yeah, a good majority of the larger sites went SSL, thus preventing their authentication cookies from being broadcast in plain text, virtually shutting down the whole extension, and making SSL a must-have for a large portion of sites you have a password for. Mission accomplished.

So, what’s vulnerable? So far, Core Security identified Nexus 4 and 5 running Android 4.4.4 as vulnerable, as are LG D806 and Samsung SM-T310 devices running Android 4.2.2, and Motorola Razr HD devices on 4.1.2. Android 5.0.1 and 5.0.2 are not vulnerable, according to the advisory.

Let’s get real geeky, real quick. The advisory says, “On some Android devices when processing a probe response frame with a Wi-Fi Direct(P2P) information element that contains a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException. As this exception is not handled, the Android system restarts.”

Last up, in a little happy news for all of us under the tyrannical thumb of the carriers, Android and Me is reporting that TracFone has been fined by the FTC for $40 million dollars. Why? Apparently the FTC actually understands what the term “UNLIMITED” means.

What was TracFone doing? Oh you know, the same stuff every other carrier on the planet has been trying to get away with. Being shady about how they treat their customers who still have unlimited plans. Throttling people on unlimited plans either to make their connection so awful they stop using it for the time being is a horrendous way to treat your customer. I also feel very uncomfortable that it’s 2015 and we’re still counting bytes. This quote from Jessica Rich, director of the FTC’s Bureau of Consumer Protection says it all. “The issue here is simple: When you promise consumers ‘unlimited,’ that means unlimited.”

If you were one of those users who got themselves throttled on TracFone, check out this link and you might be able to pick up a refund. It’s on the FTC.gov website.

That’s going to do it for this episode of Breaking Android. Follow me on your favorite social network and say hello. Also make sure to check out our weekly Android long-form podcast over at AttackoftheAndroids.com.

Did you know you can also listen and subscribe to audio-only versions of Breaking Android? That’s right, tap that little play button below, and if you want to subscribe, hit the RSS feed here.

For BMod, I’m .

Play
Mat Lee

Author: Mat Lee

Based in Kalispell, MT, Mat Lee is a senior contributor at aNewDomain.net. He writes hip hop, makes podcasts, and dabbles in gaming in his spare time. Follow Mat Lee on Twitter, Google+, and Facebook.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>