Story image

Bug makes Android phones hackable via PNG image files

08 Feb 2019

Article by Deep Secure CTO Dr Simon Wiseman

Google has recently announced a security flaw in the way Android devices handle PNG images. Apparently, it’s a heap overflow in the SkPngCodec.

This means any application handling PNG files that have been carefully crafted by an attacker can end up running the attacker’s code.

This means a web browser can fetch a crafted image from a web site and the attacker now is in control of the browser and its environment.

That means it has access to your stored passwords and you’ve given away access to all the secure sites you visit.

The same goes for your email client – the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organisation.

But Google is responsible, and the announcement was held back until a fix was in place.

However, patches to phones are rolled out slowly.

That means today is the zero-day for this attack and it’s going to be weeks until it is defeated. It’s a bad place for such a vulnerability to turn up.

How could this happen?

The PNG file format is well-defined – it’s one of the best specifications around for this type of attack.

The basic structure of a PNG is simple, and it’s hard to see how a mistake like this could be made handling it (not like GIF which suffered in the past from a buffer overflow due to its slightly crazy structure).

The compression algorithm used is well understood and well used.

But there are some complex parts to the format, in particular, the way it handles interleaved scanlines.

It’s not impossible to imagine the library making a mistake here, when it tries to reorder the scan lines into display order it has some tricky calculations to do to fill the buffer correctly.

And PNGs can contain ancillary data, such as colour profiles, which are very complex structures that, if malformed, might be mishandled.

These sort of mistakes are very hard to find through testing because it’s not really possible to anticipate all the ways things could go wrong and there are too many possibilities to systematically check them all.

What can the average user do right now?

First off make sure you take all the updates available and keep doing this daily for the next few weeks.

Second, tell your mobile browser to forget all the passwords it holds.

What’s to be done once the panic is over?

Most will relax and be thankful that the problem has been found and fixed.

But anyone concerned with defending systems against cyber attack will be wanting to know if anything could have been done to defend against the attack before it was known about, and what can be done to defend against the next one of this kind.

What’s clear is that trying to detect problems like this does not work.

They cannot be anticipated so you don’t know what to look for.

The attacker will always be able to evade any attempts to detect their attack.

Flashpoint announces new features on intelligence platform
The platform now features new dashboards and analytics, expanded datasets, chat services and communities, and industry alerting.
Hitachi Vantara to offer data protection as-a-service
Hitachi Vantara has introduced data protection and data storage offerings that embrace the as-a-service model and come as pre-engineered, fully managed services.
TIBCO aids in effort to boost Vietnam's data talent pool
Training will include ways to understand data analytics, and skills to support the country’s push towards digital transformation.
Tech leaders already seeing the impact of automation
“It is our strongly held belief that the prosperity of New Zealand is inextricably linked to how well our organisations embrace a digital future."
Snowflake & Anodot to offer AI-based anomaly detection
Customers will have access to Snowflake’s built-for-the-cloud data warehouse and can receive instant alerts and insights from Anodot for potential issues before they cost customers significant ROI.
ABS and Google Cloud partner to demonstrate the feasibility of AI-enabled corrosion detection
The project successfully demonstrated the accuracy of AI in detecting and assessing structural anomalies commonly found during visual inspection.
Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”