Imagine this scenario:
You woke early from a great night of sleep, well rested. The sun is shining outside. It’s Saturday, and you have no plans whatsoever, for the first time in a long time. The day is yours to make it whatever adventure you choose it to be. The world isn’t perfect, but right now life is good.
You take your phone off the charger, and notice tat you have no messages. Odd! You typically have a few, if only from social media. Further investigation reveals your contact list is gone. Emails, texts, messages, and photos too. Apps, data—everything has been wiped from your phone! While you were sleeping, the attacker gained access to all of your sensitive data through your phone, locked you out of your email and banking accounts, and gained access to your business’ secure network. And to make matters worse, you don’t know how it happened.
Scary, right? The nearly one billion Android devices in the market were put at risk for this hack known as Stagefright when it was unleashed and exposed last year. And now, Mac and iPhone users are said to be at risk too.
What Is This Stagefright Megabug?
Stagefright is a vulnerability named after the media library that helps unpack multimedia messages (MMS). Even though it was originally exposed last year in the Android operating open-source system, the exploit (which has been around for a while, going all the way back to Android version 2.2) now affects both iOS and OSX operating systems. To make matters worse, users do not even need to open a message for the device to be exploited—it only needs to be received. A hacker can compromise a device, delete the message and be in control before anyone even knows it happened. According to Infosecurity Magazine, Stagefright is an image rendering bug, endangering email clients and messaging apps that auto-render and auto-display images. And you thought you only had to worry about people clicking links and opening attachments!
When discovered by Joshua Drake, vice president of research and exploitation at Zimperium Mobile Security, the collection of Stagefright exploits (there are technically seven CVEs) had been dubbed “the worst Android vulnerabilities discovered to date.” The bug caused alarm, and it was estimated that it could affect 95% of the approximately 950 million Android devices. And now, the bug has been exposed on Macs and iPhones.
Is It Time to Panic?
Before tossing that new iPhone 6s out the window, take a deep breath. Apple has already released updates (iOS 9.3.3 and OSX 10.11.6), so make sure to update as soon as you can to protect yourself from these vulnerabilities. As for Android users, Zimperium promptly reported the vulnerability to Google after he discovered the bug last year, as well as patches to resolve the issue. Google enacted these patches to internal code branches within 48 hours, and quickly rolled out a fix for pure-Android phones. Other popular smartphone developers such as Samsung, GTC, and LG also quickly rolled out patches for the bug.
What Can Be Done?
Patch, patch, patch! Your Mac and iPhone will be at risk if you do not install the latest update. It’s becoming clear that phone numbers, like all other pieces of information tied to identity, are becoming important to safeguard. In light of the Stagefright vulnerabilities, keep the settings of your messaging app set to not accept messages from unknown sources, and to not auto-download MMS messages. Furthermore, if your phone is used for enterprise or business purposes, be sure it is equipped with an effective mobile device management (MDM) solution to safeguard your device, your network, and to deploy patches internally. In light of such vulnerabilities such as Stagefright, mobile device management is now a must-have offering for MSPs who are serious about embracing an integrated and complete device-security strategy that will keep SMBs protected.
Want to help your clients stay safe when on their smartphones?
By Lily Teplow
By Lily Teplow
By Brian Downey