NY Times: Security Flaw in G1

[VikingDave]

As the lead story in Technology on NY Times today, John Markoff reports that a "serious flaw" has been discovered in the security of the G1.

http://www.nytimes.com/2008/10/25/te...gy&oref=slogin

October 25, 2008
Security Flaw Is Revealed in T-Mobile’s Google Phone

By JOHN MARKOFF
SAN FRANCISCO — Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it.

One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.

Mr. Miller, a former National Security Agency computer security specialist, said the flaw could be exploited by an attacker who might trick a G1 user into visiting a booby-trapped Web site.

The G1 — the so-called Google phone — went on sale at T-Mobile stores on Wednesday.

Google executives acknowledged the issue but said that the security features of the phone would limit the extent of damage that could be done by an intruder, compared with today’s PCs and other cellphones.

Unlike modern personal computers and other advanced smartphones like the iPhone, the Google phone creates a series of software compartments that limit the access of an intruder to a single application.

“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer. He said that the company had already fixed an open-source version of the software and was working with its partners, T-Mobile and HTC, to offer fixes for its current customers.

Typically, today’s computer operating systems try to limit access by creating a partition between a single user’s control of the machine and complete access to programs and data, which is referred to as superuser, root or administrative access.

The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.

Mr. Miller has previously gained attention for finding other vulnerabilities. In March, he received $10,000 and a Macintosh Air laptop in a contest at the CanSecWest security conference by reading the contents of a file stored on a Mac laptop by directing the machine to a Web site that was able to exploit a vulnerability in Apple’s Safari browser.

Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized.

Mr. Miller said he was withholding technical details, but said he felt that consumers had a right to know that products had shortcomings.

[RussianSolja]

Eh - Im not worried.

[rynosaur]

I would imagine this is a linux kernel vulnerability and as such, would be addressed immediately.

I'm not sure this is news. As far as I'm concerned, if you go to phishy/spoofed sites, expect trouble.

[thefark]

same here.
not worried

[VikingDave]

Agreed. Just putting it out there, but I don't see this as a showstopper (hopefully).

[rynosaur]

WTF - Macintosh Air laptop! Where has this guy been the last 12 months? It's MacBook Air, you idiot!

Hey Vincent, does your G1 work in South Africa in any way, shape or form?

Does it power on south of the equator? Is the touch screen upside down?

[RussianSolja]

LMAO!!!!!!! @ Vincent

[A F 1 G 3]

Take this article, replace all the times he used 'G1' and put iPhone in its place. Pretty much applies to any phone that runs a high-end OS.

[tread]

Macintosh? Really, when the hell was the last time anyone called a Mac...a Macintosh?

when anybody says macintosh nowadays, i always think about the old macintosh audio hardware (not affiliated with apple) FIRST

[systm]

What bothers me the most about these kinds of articles, especially when it is in something like the NYT, is that a lot of people see this, and instantly case doubt on the phones and the OS. While the phone has been developed on for the last year, its only been "in the wild" for maybe 2 months as actual devices, and almost release builds, but seriously, 3 days and this guy already tries to make GOOG look like idiots.