lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Oct 2020 14:51:40 +0200
From: "Enrico Weigelt, metux IT consult" <lkml@...ux.net>
To: Michael Lazin <microlaser@...il.com>,
 "Enrico Weigelt, metux IT consult" <info@...ux.net>
Cc: fulldisclosure@...lists.org, certbund@....bund.de
Subject: Re: [FD] Google's Android: remote install backdoor in Google Play
 Services

On 14.07.20 19:19, Michael Lazin wrote:

Hello folks,

> Could you please provide more detail.  

In short, Google's playstore receives notifications from Google and
installs any app that Google wants to be installed - without any further
notification or even interaction of the user.

Google silently controls your device as soon you enter an google account.

Actually, it's not a bug, but a on-purpose backdoor. I've published it
here, in order to let everybody know. Futher actions have to be done by
the enforcement agencies.

> I am not seeing how this is an
> attack.  The Debian apt system which predates the play store seems to
> work under the same principle.  

No, apt only acts on explicit operator commands. There is no way for
Debian folks to *push* anything at will out onto individual machines.
And you can also configure which repos are used. Google's Appstore
(and Playservices) is in no way comparable.

> The debian security team pushes updates which not only
> install software with patches but the dependencies as well.  

Absolutely not, they don't push anyting onto user's machines. They just
upload new versions. It's up to the user to run upgrades, if he decides
to. And the user can configure which repos to use / trust.

> The
> vulnerability you appear to be speaking about seems to be a fundamental
> way the concept of an app store works, 

Yes, this vulnerability is on-purpose. Therefore I call it a backdoor.
No way for the user to do anything about it - execept for flashing a
google-free OS. Legally, this is a criminal act.

> it must include a method of
> pushing patches as new exploits are published.  

No, it does not need to. Pushing here means Google decides what's going
to installed when on the device - user has no control over that, and
even doesn't get informed. And it's not just for patches, but also for
deploying completely new software.


--mtx

-- 
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@...ux.net -- +49-151-27565287

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists