Skip to comments.
Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned
Checkpoint ^
| August 6, 2015
| by Check Point Research Team
Posted on 08/07/2015 12:23:55 PM PDT by Swordmaker
Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider. The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, NV this morning.
What is Certifi-gate?
Certifi-gate is a set of vulnerabilities in the authroization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device. mRSTs allow remote personnel to offer customers personalized technical support for their devices by replicating a device’s screen and by simulating screen clicks at a remote console. If exploited, Certifi-gate allows malicious applications to gain unrestricted access to a device silently, elevating their privileges to allow access to the user data and perform a variety of actions usually only available to the device owner.
How does Certifi-gate make my device vulnerable?
Check Point researchers examined the verification methods by which trusted components of the mRSTs validate remote support applications, and discovered numerous faulty exploitable implementations of this logic. This allows mobile platform attackers to masquerade as the original remote supporter with system privileges on the device.
What devices are at risk?
Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network providers approved software build for a device. This creates significant difficulty in the patching process and makes affected components impossible to remove or to work around.
Check Point has also made available a scanner app that can determine whether your device is vulnerable to Certifi-gate. Click here to download the scanner app from Google Play.
Above: Example of Check Point-built “malicious app” using Team Viewer plugin to gain access to an Android device; Below: Example of the same using the Communi-Take plugin.
TOPICS: Business/Economy; Computers/Internet
KEYWORDS: android; cellphones; certifigate; windowspinglist
To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
hundreds of millions of Android devices are at risk to the Certifi-Gate vulnerability which can Pwn your Android phone or tablet. PING!
Android devices PWNED
Ping!
If you want on or off the Mac Ping List, Freepmail me.
2
posted on
08/07/2015 12:28:11 PM PDT
by
Swordmaker
( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: dayglored; ShadowAce
for your ping lists. . . Android vulnerability that may or may not get patched.
3
posted on
08/07/2015 12:29:37 PM PDT
by
Swordmaker
( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: Swordmaker
WHAT???
My Samsung Galaxy S5 can be hacked with Obama’s phony birth certificate?
Damn that sneaky Kenyan.
4
posted on
08/07/2015 12:36:02 PM PDT
by
Responsibility2nd
(With Great Freedom comes Great Responsibility)
To: Responsibility2nd
Ohhh. Certifi-gate.
(doing best Emily Latella impersonation....)
Never Mind.
5
posted on
08/07/2015 12:37:11 PM PDT
by
Responsibility2nd
(With Great Freedom comes Great Responsibility)
To: Swordmaker
6
posted on
08/07/2015 12:37:17 PM PDT
by
sauropod
(I am His and He is mine.)
To: Swordmaker
I believe that Google may push out a fix for this bug for the Google Nexus phones and any phone that runs the Google Play version of Android. The Motorola Moto X and G phones may get the fix pretty quickly, too.
7
posted on
08/07/2015 12:57:19 PM PDT
by
RayChuang88
(FairTax: America's economic cure)
To: Responsibility2nd
My Samsung Galaxy S5 can be hacked with Obamas phony birth certificate?
Damn that sneaky Kenyan. ROTFLMAO!
8
posted on
08/07/2015 1:05:59 PM PDT
by
Swordmaker
( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: Swordmaker; Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; Alas Babylon!; amigatec; ...
Android vulnerability -- check your phone with the link in the article ... PING!
You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".
Thanks to Swordmaker for the ping!!
9
posted on
08/07/2015 5:32:05 PM PDT
by
dayglored
(Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
To: Swordmaker
Mine says I’m good to go.
10
posted on
08/07/2015 5:41:47 PM PDT
by
Lurkina.n.Learnin
(It's a shame nobama truly doesn't care about any of this. Our country, our future, he doesn't care)
To: Swordmaker
It says my BLU phone is safe.
11
posted on
08/07/2015 6:08:53 PM PDT
by
Abby4116
To: dayglored
12
posted on
08/07/2015 6:09:45 PM PDT
by
Excellence
(Marine mom since April 11, 2014)
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson