Google Project Zero targeting Samsung

Project Zero made the news a few months ago by publishing unfixed vulnerabilities with their exploit in Microsoft operating systems before Redmond's company succeeded to ship patches.
A lot was written back then about the fact Google was attacking their competitor, accusing also this team to be irresponsible by operating following a fixed 90 days time-frame.

Well, this time they went against the worldwide leader Android manufacturer and its Galaxy 6 Edge, with the same rules and similar results which should address any bias concerns.

The report itself is fascinating and illustrates how additional software, like apps or support for more media formats natively (Samsung always has been good with that) increases the attack surface with more code, that might also not be as solid as AOSP's.
Then there is hardware drivers (like for the GPU) and you can't really skip shipping that.

How many vulnerabilities can be found in the phone you are using right now (any phone) with a few weeks of work from a dedicated team?
It's safe to assume quite a few. With sufficient resources it seems there will be ways to find a way in which is not reassuring given the amount of data our gadgets have access to – especially through Google account credentials.
Location history being the perfect example of over the top tracking yet required for Google Fit and probably enabled after tapping a Google Maps launch dialog without realizing the consequences by many.
This is why I highly recommend two factora authentication… Yet it doesn't change anything if a root vulnerability allows to escape the sandbox and steal credentials from the active device or access the data from there directly.

It is also difficult to know where to learn about manufacturers' security practices.
Do they have a security team like Project Zero evaluating their products internally continuously with fuzzing and more?
There are no guarantee of results and certainly no such thing as perfect security, but it's something it would be good to know.

#supercurioBlog #security

Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge
Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post …

Source post on Google+

Published by

François Simond

Mobile engineer & analyst specialized in, display, camera color calibration, audio tuning

7 thoughts on “Google Project Zero targeting Samsung”

  1. This is like the EuroNCAPs crash tests and reports, but for software. I think it would be good to have some organization(s) that tests this things throughly and reports them so that patches are issued and we all have better quality software and security.

  2. +François Simond yeah, what I think it would be nice is the publishing of the problems / results as the tests I mentioned before, so that people can have yet another angle to see when evaluating which manufacturer they give they money to. I guess it will never happen because it would almost always act as bad press.

  3. +Juan Manuel Tastzian Yes there is a fundamental contradiction because being known for fixing vulnerabilities also highlights how many vulnerabilities there are.
    Plus it would likely be ignored due to instant press fatigue with the constant repetition, especially since things in software can be fixed so quickly unlike cars were the cycle are slower.

    In a way, things work already how they are today: the world has not yet fallen apart due to smartphone security 😉

  4. Perfect. The safest phone apart from Nexus is probably the OnePlus One, Cyanogen started rolling out the November Security Bulletin fixes yesterday 🙂

    Their build-manifest.xml points to the wrong commit IDs though, which makes me unhappy.

Leave a Reply