Certifi-gate is the latest Android security scandal

— 11:30 AM on August 7, 2015

Today's high-level Android vulnerability is called Certifi-gate. As you might have guessed, it gets its name from an underlying problem with the way the operating system handles digital certificates in the context of remote support tools (RSTs). The vulnerability can let an attacker gain full control over a victim's device.

Here's roughly how it goes. A bog-standard RST app will usually ask for a normal set of user permissions, but it also needs to install a plugin with elevated permissions so it can perform its tasks. While the RST is digitally signed by its vendor, the plugin needs to be signed by the device's OEM. Due to the coupling of these components, the app itself ends up gaining elevated permissions. Thus, an attacker can exploit a vulnerability in the RST to gain control over the device.

There are several problems with this approach. An OEM can carelessly sign a plugin without checking whether the underlying code is secure. If the application's vendor needs to update its plugin, it has to wait for the OEM to sign it again. Also, since Android doesn't have an app certificate revocation mechanism, a user with an older version of an app remains vulnerable until they install the latest version. Last but not least, the user has relatively little control over the plugin: it won't show an icon in the launcher since it's an exported service, and the Play Store won't indicate that a plugin required by an RST requires elevated permissions.

Check Point, the company that disclosed the vulnerability, has analyzed multiple remote support tools. It found that TeamViewer, RSupport, AnySupport, and CommuniTake are vulnerable. It has also built an app that will scan your device for the vulnerability. 

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.