Google Scrambles to Patch Buffer Overrun Exploit in Android G1

By Clint Boulton  |  Posted 2008-10-27

Google Scrambles to Patch Buffer Overrun Exploit in Android G1

The T-Mobile G1 smart phone has not even been on the market for one week, but a security expert has already found a significant flaw in the Google Android software that fuels it.

The vulnerability, first reported in The New York Times, allows a hacker to hijack a Web browser on a G1 gadget. A user with malicious intent could capture users' user names and passwords for accessing Web sites, such as bank accounts, online retail sites and online auctions.

"I can basically do anything the Web browser has permission to do," said Charlie Miller, principal analyst at Independent Security Evaluators, who wrote an exploit for the flaw based on the Android SDK (software developer kit) Google released to open source. "I can read text messages, read their cookies, see their passwords, watch them surf the Web and watch what they type."

If he wanted to, he could also surf the Web on a user's G1 from his own computer, and make a user think they are going to a banking site when they're really going to his site.

Miller told Google about the flaw Oct. 20, two days before the G1 launched in T-Mobile stores and to customers. Miller said Google didn't want him to tell anyone else about the flaw until there was a fix available, but he said that could take months from now because they have to get T-Mobile involved, among other steps in the process.

"It seems to me, if I'm going to shell out $200 for this thing, I have the right to know if there is a problem," Miller said. "I'm sure they're going as fast as they can, but people have a right to know there is a problem. If you think there is no problem, then you are going to act one way with your phone, but if you know there is a problem that's not fixed yet, maybe you'll be a little more careful."

Google is indeed hard at work on a fix. Google said:

"We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users' exposure."

Android Flaw Is a Buffer Overrun

The G1, which sells for $179, is designed to compete with Apple's iPhone for this holiday season.

The smart phone's success is being closely watched by industry experts closely tracking the growth of the Android platform, on which hangs Google's plans for mobile search and advertising dominance.

The flaw, known in security circles as a buffer overrun, exists in one of the 80 open-source components of the Android SDK, which was released nearly a year ago, Miller said.

Normally, the exploit he created would enable him to access a lot, but he said Google has designed Android to make sure "it's not the end of the game if you do that." For example, Miller said he can't read a user's e-mail or dial the phone.

To keep technical details of the exploit hush-hush, Miller declined to say which of the components in the SDK he discovered the flaw in, though he said it exists in an older version of the open-source component.

For some reason, he said, Google used a dated version of the component that has the flaw. "They used the old, vulnerable version. Whether they knew that or not, I don't know."

So how did Miller, who regularly looks for such flaws, find the bug? This story is a story in itself.

The analyst said he downloaded the Android SDK, which has an emulator to simulate what will be on an actual Android-based device. He wrote an exploit for the emulator, though he couldn't be sure whether it would work on the G1.

But Miller wasn't a T-Mobile customer, so he couldn't preorder the G1. To get his hands on the gadget, Miller searched on eBay and found a T-Mobile employee who was selling his G1.

He bought it and was able to get the gadget a week before the Oct. 22 release date. He found the flaw and reported it to Google Oct. 20, two days before the G1 release date.

"Thanks to the power of eBay, I had it like five days before anybody else," Miller said.

Rocket Fuel