LWN: Comments on "The Android "Stagefright" vulnerability"

The Android "Stagefright" vulnerability

dashesy — Fri, 04 Sep 2015 02:42:23 +0000

I got an update for CM11 today, and were using Hangout for SMS (with MMS disabled). There were many attempts to send me MMS with these phone numbers:

222-225-6447
222-222-9554
222-222-9553
222-222-9552
222-222-9551

The timing suggests exploits may be in action. I hope the disabled MMS has done the trick, otherwise I may have a brand new logger on my phone :)

The Android "Stagefright" vulnerability

jezuch — Wed, 05 Aug 2015 07:44:51 +0000

> Newer techniques such as beam "steering" using antenna arrays change this.

"Beamforming" is the marketing term?

The Android "Stagefright" vulnerability

zlynx — Tue, 04 Aug 2015 22:06:37 +0000

In my personal experience 5 GHz is definitely better. But the problem of walls is even worse. I have a room which has the kitchen between it and the access point. In that room the 5 GHz signal is almost 0. I suspect that the kitchen microwave, refrigerator and cooking range (all metal) soak up the signal.

The new multipath ac standard works great, but like your 5 GHz situation I don't have enough devices that support it.

The Android "Stagefright" vulnerability

nye — Tue, 04 Aug 2015 12:58:47 +0000

>We're also at the point where certain people (eg me) actively demand a wired backup because wireless is absolute rubbish ...

Right, and it's hard to persuade people that their experience is not universal. Example:

My grandmother and I both have identical wireless access points (supporting 802.11n 2.4GHz, as they're a few years old).
She lives in a timber framed house with hollow walls, in the middle of nowhere. I live in a brick Victorian house in a city.
If I try to use my phone, say, on her WiFi, I can get a decent signal from the other end of the garden. If I try to use *my* WiFi at home, same client device, same model WAP with same configuration, I can barely get a signal in the next *room*; more than about 5 metres is pretty much out of the question. Even sitting within about a metre of the WAP - in the same room - the connection isn't always reliable.

Trying to send data over 2.4GHz bands in a densely populated area is like trying to have a whispered conversation in a nightclub. I'm hoping that 5GHz is somewhat better, but most of my current devices don't support it.

The Android "Stagefright" vulnerability

paulj — Tue, 04 Aug 2015 11:51:48 +0000

Newer techniques such as beam "steering" using antenna arrays change this.

By tightly controlling the timing of sending a signal across an array of antennas, you can "steer" the signal so it is maximised in a particular spot, through constructive interference. That spot can be determined through feedback from the receiver. This allows lower power signals to be used, generally lowering the noise floor for everyone without harming bitrate, and/or increased bitrates. The energy from the transmitter can be used in a much more 'focused' way, and so it can more efficiently use energy and spectrum.

One day even different base stations might be part of the same antenna array, giving really good diversity and "steering" ability.

The Android "Stagefright" vulnerability

dlang — Sun, 02 Aug 2015 22:59:29 +0000

the radio signal is FAR more efficient than the wifi/cellular signals, one broadcast delivers to thousands of listeners. delivering the same data individually to each recipient would require FAR more bandwidth.

If you are looking for what technology passes the most data worldwide, I'd say that bluetooth will probably win

but if you don't just measure the number of bits passed, the results are probably going to be very different.

I think that a far better way to evaluate 'efficiency' would be something like

bits passed * distance covered * recipients of the data/bandwidth used

and for that, I'd bet that satellite TV will be the winner, followed by HDTV transmissions, followed by radio broadcasts, followed by non-wifi data transmissions (microwave links and wireless ISPs) followed by cellular, wifi, and bluetooth.

The Android "Stagefright" vulnerability

Wol — Sun, 02 Aug 2015 19:33:57 +0000

> We're at the point were a large chunk of the population does everything at home over wifi, upto and including streaming video.

We're also at the point where certain people (eg me) actively demand a wired backup because wireless is absolute rubbish ...

I regularly plug my laptop into my house wired network because wi-fi just doesn't have enough bandwidth (estimated time for a - typical - file transfer dropped from 4hrs to 5mins just by swapping the transport layer...)

Wi-fi range covers maybe half the house ...

Our cordless landline can be a right pain in the neck ...

There's just too much interference from all the devices in my house and in the neighbours'. That's why when my house was rewired, I had cat-5 run through the place as well.

Cheers,
Wol

The Android "Stagefright" vulnerability

kleptog — Sun, 02 Aug 2015 14:17:07 +0000

I'm not sure what measurement of efficiency you're using, but I'm willing to bet that the total amount of data transmitted per second worldwide over wifi exceeds the total data rate of digital traffic in entire rest of the EM spectrum by a large margin. Both in aggregate and per Hz. And it does this with less than 100Mhz bandwidth total.

We're at the point were a large chunk of the population does everything at home over wifi, upto and including streaming video. On the other hand a local radio station might get a 0.9MHz allocation to transmit essentially a 64kbit signal over hundreds of square kilometres. The latter is what I call inefficient.

Cisco actually has estimates: http://www.cisco.com/c/en/us/solutions/collateral/service...

Which puts total wifi internet traffic at 10 times cellular traffic, and that's not counting traffic intra-home.

The Android "Stagefright" vulnerability

rahvin — Fri, 31 Jul 2015 22:47:55 +0000

You forgot to mention that the vast majority of the employees are less than 30 years old.

It's like a great big nerd frat, probably fun right up until you decide to grow up, get married and have kids. Then you aren't innovative enough and are replaced by a guy right out of college.

The Android "Stagefright" vulnerability

rahvin — Fri, 31 Jul 2015 22:41:28 +0000

The more devices using the spectrum the worse that spectrum is. Even broadcasting at very low power 1000 sites are creating all kinds of doppler effects and reflections that bounce all over the radio spectrum creating a base noise level that's difficult to penetrate. 900mhz is virtually worthless today because of all the cordless phones, remotes and other stuff that uses it. If you tried to use it these days for an internet connection further than 30 feet from the "source" you'd discover just how poor 900mhz has become. 2.4ghz is rapidly approaching this same noise floor, in some urban areas 2.4ghz is often so saturated that you can't reliably receive signals 100' from a transmitter. The opening of 5ghz has helped somewhat but open use is never efficient use.

Mesh networks like he's proposing are an interesting idea but limited in all practicality unless government could be convinced to open up entire channel bands to part 15 use. The chances of that happening are so incredibly small it's probably not worth discussing. The biggest reason for that is that open use is often extremely inefficient because it creates a tremendous noise floor. Whereas licensed use to an ISP creates a system where the ISP is in charge of managing the noise floor and can afford to pay engineers to keep the value of the spectrum by preventing interference.

The Android "Stagefright" vulnerability

pboddie — Fri, 31 Jul 2015 21:26:05 +0000

And probably then only an apology of the kind, "I'm sorry if you were offended by what I did."

The Android "Stagefright" vulnerability

pboddie — Fri, 31 Jul 2015 21:21:23 +0000

Indeed. Anyone obtaining a "GPLv2 or later" codebase and opting to redistribute under GPLv3 takes on those additional obligations, not the people who put the licence on it to start with.

As for the Tivoization aspects of the GPLv3, I think the need to explicitly include them says a lot about the way various entities distributing GPL-licensed code treated the spirit of the licence. When vendors are handing customers a running system and thus giving them the binaries, then giving them the sources when they ask, and then practically laughing at them when they find they can't deploy rebuilt binaries, even though there are no real technical barriers to doing so (and where vendors will happily uphold backdoor and update mechanisms to maintain their own privileges), something has to be done to avoid the licence becoming worthless.

And despite the FSF even noting that GPLv3 doesn't oblige vendors to provide support for modified products, people will still complain about the cost and the inconvenience for the vendors, never mind that they got most of their software without having to do anything for the privilege. The way the FSF gets portrayed makes me wonder why they bother being so reasonable sometimes.

The Android "Stagefright" vulnerability

Cyberax — Fri, 31 Jul 2015 21:10:40 +0000

> That's the point. I really think you do not need millions. I've never been to Brooklyn, but I see some people playing around here in a 500 000 people city and they get interesting results with an independent ISP using off-the-shelf WiFi technology (ok, it's data, but you see the point).
It's been tried. Many times. Still doesn't work.

Many commercial ISPs in the US tried to make it possible to build a city-scale WiFi network with roaming: Optimum WiFi, XFinity WiFi and many others. It's so bad that it's always better to switch to 3G/4G data instead of trying to use them.

Most problems are caused by interference and poor signal propagation.

The Android "Stagefright" vulnerability

pizza — Fri, 31 Jul 2015 20:17:44 +0000

"This software is licensed under the GPL version 2, or at your option, any later version"

Any software released under the GPLv2 will remain GPLv2 in perpetuity, or until the copyright expires (which are the same thing these days).

So, if anybody changed the "bargain" it was the software authors who had to explicitly opt into that potential re-licensing. And even then, that new license revision only affects subsequent releases.

The Android "Stagefright" vulnerability

Cyberax — Fri, 31 Jul 2015 19:50:16 +0000

Apache2 license allows patent retaliation, GPLv3 does not.

The Android "Stagefright" vulnerability

dlang — Fri, 31 Jul 2015 17:33:24 +0000

brick/stone/earth tend to absorb the signal (although the signal does bounce). metal reflects more than absorbes.

yes, a point-to-point wifi link with very high-gain directional antennas at both ends carefully aimed can get very long distances.

But if you need omnidirectional coverage to mobile devices, you can't do this. The mobile end isn't going to have a high-gain antenna or a lot of transmit power. The base stations can either be omnidirectional at short range, or directional at slightly longer ranges (and you put a lot of base stations on different channels in the same place, pointed in different directions so that between them all you cover every direction. But you need a lot of channels for that)

wifi has ~10 channels on the 5GHz band. Phone systems have around 100x that many channels.

The Android "Stagefright" vulnerability

dlang — Fri, 31 Jul 2015 17:26:35 +0000

not just the man-hours involved, but the _paid_ man-hours involved creating linux total up to the huge figures. It's just that the money to pay for this is not all from one company.

The Android "Stagefright" vulnerability

dlang — Fri, 31 Jul 2015 17:24:55 +0000

I really don't see the patent parts being the dealbreaker for most companies.

it's the (at least perceived) changing of the bargain.

It doesn't matter if the GPLv3 better represents what the FSF intended the GPLv2 to cover, it's that the GPLv3 bargain is different from the GPLv2 one, and not just in fixing legal problems, but in terms of covering cases that weren't covered in GPLv2.

It's not even (completely) that the terms of GPLv3 are so horrific as it is the fact that the bargain is being changed by the FSF and they publicly stated that if it didn't achieve their goals, they would change it further with a future version.

The Android "Stagefright" vulnerability

raven667 — Fri, 31 Jul 2015 17:15:36 +0000

> But iIn the 90s, people were saying that it was impossible to build something like Linux without a very big up front *initial* investment. I still think they have been proven wrong.

What Linux built was incremental, so sure it's not like proprietary software where it's kept all under wraps until its "done" and there is a big reveal, but the man hours and time required for Linux to reach feature parity with the other UNIX and MS systems represents a very large investment as described. If you are comparing another OS from the 90's, there was a substantial investment before Linux achieved parity, maybe in the 2.4-2.6 timeframe. A handful of developers in a garage aren't going to build something as complex as Linux or any other OS, you need a cast of thousands and decades of work.

The Android "Stagefright" vulnerability

raven667 — Fri, 31 Jul 2015 17:02:15 +0000

> > It may not be effective though as MMS is only one of many attack vectors that would result in Stagefright processing an exploitative media file.
> The problem is that the vulnerability isn't tied to MMS

I know you like to post a lot here but I think everyone would really appreciate if you read the comment you are replying to before composing a response, also consider whether your response adds new information to the conversation and will be useful to other the other people, like me, who read LWN comments.

The Android "Stagefright" vulnerability

ortalo — Fri, 31 Jul 2015 15:38:46 +0000

Well, typical modern usage and indeed, difficult to adress right now. A solution with à-la OpenBTS could probably offer GSM connectivity though in this situation: so voice connectivity; but probably no playing or watching youtube.
For that, some are going the UMTS reverse-engineering route, but that will as cumbersome as the work done for GSM (and possibly impossible due to the additional blockade made by commercial companies). So little to expect before several years of hard (free) work.
If I had better overall marks in electromagnetism and RF, I would try to build improve on the initial design of GSM instead of replicating existing techno.
But we would need to move to our private piece of desert in order to experiment without interference (so the funding problem does exist).

Concerning the brick walls, strange (unless there is metallic reinforcements inside). I would really suggest playing with an OpenWRT-based device to see if you do not have interferences around - OSS devices can be very nice for troubleshooting - some UBNT (ubiquity) too. But the truth is 802.11 is king primarily without obstacles (dual antennas setup could be nice too inside buildings).

The Android "Stagefright" vulnerability

pizza — Fri, 31 Jul 2015 15:32:34 +0000

> v3 is much more a jack-of-all-trades with patent stuff etc

What I find particularly sad are organizations that object loudly to GPLv3, supposedly over its patent clauses, but use (and distribute) Apache v2 code with its practically identical patent clauses.

The Android "Stagefright" vulnerability

NAR — Fri, 31 Jul 2015 15:15:49 +0000

Well, this is in the middle of the city, so there would be about 50-100 people moving at 40 km/h actively using the network (people on trams, buses browsing, playing, watching youtube, people in cars using navigation tools like Waze). Maybe three times as many people not using the network, but expecting to be able to receive an incoming voice call.

At home there are no microwave ovens in the way, just a couple of brick walls.

The Android "Stagefright" vulnerability

ortalo — Fri, 31 Jul 2015 15:13:50 +0000

The spectrum auctions prices are hopefully more linked to the benefits that these commercial companies are making than to the cost of the network.
And, there is very probably a trend by these operators to inflate the network cost in order to influence the government tax downward. But these operators are given exclusive for-profit access to a public resource (radio spectrum), so they *have* to pay a tax.

If not operating for profit, well, I guess you can claim you do not compete with them... Granted, not many governments will listen to you, esp. in rich urban areas. But you may be surprised of the situation in poor and/or low density areas....

The Android "Stagefright" vulnerability

ortalo — Fri, 31 Jul 2015 15:03:14 +0000

It depends on the kind of coverage you want. Granted, if you want high fidelity quadriphonic transmission of a video conference call involving more than 5 people, simultaneously browing the web at high speed using the mobile data network all buried deep in the internals of buildings with metallic rooms separation; I resign immediately.

If you want normal voice connectivity and acceptable data trafic rates, then we can look.
But well, first let's troubleshoot your WiFi because, you know, the record was >200km several years ago, so you may have a problem. No microwave oven and beloved cooking partner between you and the router? (NB: the second is never to be accused lightly.)
Furthermore, all the remarks concerning 802.11 frequency inadequacy for long range are fully adequate and it is also not the most adequate for voice (for other reasons IIRC).

WiFi (802.11) frequency is extremely sensitive to line of sight obstacles; so you need different things for long range indeed.

The Android "Stagefright" vulnerability

ortalo — Fri, 31 Jul 2015 14:31:20 +0000

I never meant that little investment or work has been done into Linux or OSS software. That would be unrealistic.
But iIn the 90s, people were saying that it was impossible to build something like Linux without a very big up front *initial* investment. I still think they have been proven wrong.

Furthermore, you are estimating the value of Linux as if it had been built by a commercial company. For me, that's also not realistic. Polemically, I could equivalently say that the operating system built by M$ must be provided free of charge because it probably did not involve much more work than Linux or Debian. I am sure M$ does not agree and would not even write that software if they could not sell it.

I am not an economist, but I think this is the classical distinction between cost of production (linked to resources) and price (linked to market conditions, i.e. primarily vendors and buyers expectations).

Back to mobile networks, I still think their initial cost is overestimated by commercial operators and their technical suppliers in order to prevent new entrants from thinking about it.
The extremely high cost of commercial radios spectrum may also be a sign that governments share part of this view.

The Android "Stagefright" vulnerability

Wol — Fri, 31 Jul 2015 12:55:37 +0000

Personally, I don't think the GPL bargain changed much, as far as it was the FSF clarifying what they intended (and v2 was buggy ...).

But yes, I think people were comfortable with v2, and didn't like the changes. Plus, v2 was a "simple" copyright licence. v3 is much more a jack-of-all-trades with patent stuff etc (which imho is invalid, but that's because I consider case law invalid as being in breach of statute law, but that mess will take quite a time to clear up ...).

(And bugs in v2? If you put source and binary on a website as two separate tarballs, that triggers the three year source obligation. Because the recipient can *choose* not to download the source, the distributor then has to keep it available. In v3, provided you make the source available at the same time as the binary, if the recipient chooses not to download the source then that's their lookout.)

Cheers,
Wol

The Android "Stagefright" vulnerability

Wol — Fri, 31 Jul 2015 07:50:33 +0000

> What copyright could accomplish is to make our much easier for open source ROMs (such as CM) to support a large at of hardware very well (by forcing the drivers to be published).

Actually, I don't think so.

But when Device Tree is sorted out for the Arm architecture, it probably will achieve that. Then it becomes simple for device manufacturers to walk away - so long as the linux devs can get the tree, it will be easy for the kernel to support any sort of random device.

(Most Arm drivers are currently a mess - normal practice seems to be to grab a driver - any driver - and mod it to support your "custom" hardware. Given that that hardware is off-the-shelf and may be in many devices, that's a whole bunch of drivers all driving exactly the same hardware.)

Cheers,
Wol

The Android "Stagefright" vulnerability

salimma — Fri, 31 Jul 2015 06:05:06 +0000

Agreed, I don't think it's the explicit patent clauses that is problematic for adoption. Apache License 2.0 has similar provisions after all.

The Android "Stagefright" vulnerability

andresfreund — Fri, 31 Jul 2015 02:59:44 +0000

>> It may not be effective though as MMS is only one of many attack vectors that would result in Stagefright processing an exploitative media file.
> It's any untrusted content hitting the media system. ONE vector that can be used for an attack is the automatic processing of MMS messages.

...

The Android "Stagefright" vulnerability

dlang — Thu, 30 Jul 2015 20:32:39 +0000

even worse was the message "I have altered the bargain, pray I don't alter it further" as they kept trying to say both that it didn't change anything (the GPL always intended this), and that they reserved the right to make further changes if it didn't have the effect that they were after.

The fact that the license terms were subject to change at any point, imposing new requirements on anyone downstream (or forcing them to fork the code/switch to something else) made many businesses decide to switch on their schedule rather than run the risk of being ambushed by a need to switch.

The Android "Stagefright" vulnerability

dlang — Thu, 30 Jul 2015 20:28:51 +0000

The problem is that the vulnerability isn't tied to MMS

It's any untrusted content hitting the media system. ONE vector that can be used for an attack is the automatic processing of MMS messages.

but to really block this, you would have to block the content across the board.

The Android "Stagefright" vulnerability

flussence — Thu, 30 Jul 2015 19:06:33 +0000

Windows 10 is effectively an apology for Windows 8.

The Android "Stagefright" vulnerability

bronson — Thu, 30 Jul 2015 18:52:03 +0000

That's why GPLv3 should have been only GPLv2 plus patent protection and other small cleanups. The Tivoization overreach was a mistake.

The Android "Stagefright" vulnerability

bronson — Thu, 30 Jul 2015 18:46:44 +0000

Now double that number (at least) if you want coverage in fog and rain.

The Android "Stagefright" vulnerability

pboddie — Thu, 30 Jul 2015 17:58:57 +0000

Well, in contrast to all the AGPL-bashing going on in the recent article about Mailpile's licensing choices (where the scariest interpretations roam unchecked in the apocalyptic licensing landscape), it does look like a lot of people are happy to assume that GPLv2 doesn't prevent them (or their employers) from having to implicitly license patents to recipients of the code. GPLv3 clarified this, of course, "scaring" companies who actually like patents but didn't want to be held to any kind of agreement about them. Strangely enough, this included companies like Nokia who made much of patent non-assertion promises against people getting Linux from them, when GPLv2 practically requires such commitments, anyway.

It's not exactly news that corporations like to operate in legal grey areas where the biggest legal budget is most likely to win, and one can argue that GPLv3 curtails that grey area substantially, upsetting corporate lawyers and executives. But had it not done so, people would be whining about "legal uncertainty" as well as trotting out long-obsolete claims of "unproven" licences. Some people will never be satisfied with what the FSF does.

The Android "Stagefright" vulnerability

raven667 — Thu, 30 Jul 2015 16:14:45 +0000

> Exactly like in the 90s when they were telling us that OS technology was so complex only M$ or IBM had the resources to build a working real-life operating system

I think your cost estimates are bunk and this example is emblematic of why, Linux has had at least as many resources poured into it as MS or IBM, probably more than any of the original UNIX projects, maybe more than all of them combined, just spread across many different companies, universities and other organizations which pay the costs for the thousands of developers, thousands of hardware test labs, etc. To say that just because you can't point to one company that owns Linux and files a financial statement that there haven't been billions and billions of dollars invested in Linux development over the last twenty-five years is folly. When someone said that you can't build a full featured OS without millions and billions of dollars such as MS or IBM could provide, they were absolutely right, the difference with Linux is not that it requires no funding but that the funding sources (translated into developer hours) are distributed amongst the most interested and active parties who benefit from it.

The Android "Stagefright" vulnerability

raven667 — Thu, 30 Jul 2015 15:31:33 +0000

I don't think this required DPI, MMS is an IP service provided by each carrier and configured automatically on your phone based on you subscribing to a particular service providers plan, tied to the non-IP SMS service the carrier also provides. It may not be effective though as MMS is only one of many attack vectors that would result in Stagefright processing an exploitative media file.

As far as neutrality comes into it it would be to treat all traffic equally, including their own, so if they did some DPI IPS (if that were even possible, it's probably not except in the minds of marketing and true IPS believers) they should treat their own service the same as third parties, if they instead used the security issue as an opportunity and cover to block competing third party messaging apps to funnel people into a first-party paid-for service, that would not be neutral to the customer and the IP packets the customer is paying to have transmitted and received.

The Android "Stagefright" vulnerability

NAR — Thu, 30 Jul 2015 12:39:17 +0000

At home I have practically no WiFi signal 10 meters from the router. How many devices do you need to have coverage on a 500 meters long, 30 meters wide bridge over a river in the middle of a city where people expect coverages?

The Android "Stagefright" vulnerability

garloff — Thu, 30 Jul 2015 11:14:44 +0000

My comment was not meant to address the question whether GPLv3 would help better than GPLv3.
I responded to the skepticism that licensing terms could fix the problem.
They don't fix the issue of vendors failing to provide (security) fixes - regulatory measures would probably be needed for that. They are valuable in providing a way to work around vendors though - if they can be and are enforced.
Sorry if this was unclear.