Google Scrambles to Patch Buffer Overrun Exploit in Android G1

Security expert Charlie Miller leverages a flaw within an SDK component of Google's open-source Android operating system. The buffer overrun flaw lets hackers hijack the Web browser on a user's T-Mobile G1 smart phone, which is Google's first big entry into the mobile and wireless game to deliver users mobile Web services. Miller bought a G1 early from a T-Mobile employee on eBay to test his exploit. Google said it is working with T-Mobile on delivering a fix to the device.

The T-Mobile G1 smart phone has not even been on the market for one week, but a security expert has already found a significant flaw in the Google Android software that fuels it.

The vulnerability, first reported in The New York Times, allows a hacker to hijack a Web browser on a G1 gadget. A user with malicious intent could capture users' user names and passwords for accessing Web sites, such as bank accounts, online retail sites and online auctions.

"I can basically do anything the Web browser has permission to do," said Charlie Miller, principal analyst at Independent Security Evaluators, who wrote an exploit for the flaw based on the Android SDK (software developer kit) Google released to open source. "I can read text messages, read their cookies, see their passwords, watch them surf the Web and watch what they type."

If he wanted to, he could also surf the Web on a user's G1 from his own computer, and make a user think they are going to a banking site when they're really going to his site.

Miller told Google about the flaw Oct. 20, two days before the G1 launched in T-Mobile stores and to customers. Miller said Google didn't want him to tell anyone else about the flaw until there was a fix available, but he said that could take months from now because they have to get T-Mobile involved, among other steps in the process.

"It seems to me, if I'm going to shell out $200 for this thing, I have the right to know if there is a problem," Miller said. "I'm sure they're going as fast as they can, but people have a right to know there is a problem. If you think there is no problem, then you are going to act one way with your phone, but if you know there is a problem that's not fixed yet, maybe you'll be a little more careful."

Google is indeed hard at work on a fix. Google said:

"We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users' exposure."