Monday, August 8, 2016

QUADROOTER - is the sky really falling?

Check Point released a 4 pack of root vulnerabilities in Android at DEFCON.  They named the group of vulnerabilities QUADROOTER, presumably because they are four vulnerabilities that result in root access on Android.  One of the first media articles I read on this actually has the headline "the sky is falling."  Um, lets dial that back three or four notches...

At Rendition Infosec, we deal in realistic risk.  Let's distill out the hype and talk some facts about the vulnerability:

  1. It appears to require the user to install a malicious application to exploit anything.
  2. The classes of vulnerabilities present are unlikely to remotely exploitable if a user simply views a malicious webpage.

So how would an attacker exploit any of these four vulnerabilities?  Simple: they'd trick a user into installing a malicious application.  Let's hope that the app store is looking for applications exploiting these vulnerabilities at this point.  If not, shame on Google.  If so, the user would have to side load the application as a malicious APK or install it from a rogue app store.  Sure, a vulnerability rooting the phone is bad. But a malicious application can do some pretty bad stuff without rooting your phone.  The sky simply is not falling, despite Chicken Little's best wishes.

On responsible disclosure
I'm not one to debate the merits of responsible disclosure. I have some pretty mixed opinions on this topic.  But when you disclose vulnerabilities on a conference schedule rather than vendor patch schedules you lose the moral high ground.  I am not personally against full disclosure, but just remember this day if/when Check Point says something about someone else's disclosure practices.  The fact is that these vulnerabilities won't be patched until September at the earliest.

On naming vulnerabilities
If you follow the blog, you'll know I've been critical of this practice.  This name is especially confusing since it details four separate vulnerabilities.  Let's hope these all get patched at the same time to avoid creating more confusion. Also the vulnerability name sounds like what you'd name a drone.

It's just a freaking jailbreak
We don't name jailbreaks and write white papers about them. In fact, people laud them so they can break free of Apple's tyrannical grip of their iOS devices. Why are these Android vulnerabilities to be feared and iOS jailbreaks are something to run as quickly as possible before Apple patches it?

Collecting data...
I don't understand for the life of me why Check Point chose to put their white paper behind a data collection wall.

If you are really "just interested in warning the public" don't require people to enter their data to read your paper.  That's a grade A dumb move.  Here's to hoping that data collection wall comes down so more people can easily read the source data about this Android jailbreak.   A Twitter friend shared the link with me (and anyone else who wants to search for it) and I'm sharing it here. Suck it Check Point.

Practice safe apps(?)
Unless you find yourself connecting to app stores other than Google Play Store, downloading apps over insecure wireless, or have been repeatedly tricked into installing malicious apps on your phone, you probably don't need to worry about QUADROOTER.

Final score:
+10 points to Check Point for finding the QUADROOTER vulnerabilities
-1 point for putting up a reigstration wall
-3 points for completely unnecessary hype
-4 points for scaring my mom - she's a technotard who can't read past the hype


  1. Regarding the responsible disclosure - according to Check Point they notified the company about these vulnerabilities back in April. They should not be held accountable for the shitty way the Android ecosystem is built, and the fact it takes months (or more) until users receive patches..

    1. I can appreciate that getting vendors to move is difficult. The vulns should have been fixed in that time frame. That's precisely why I'm a member of the Peerlyst SecureDrop vulnerability review board. We work with the press and vendors to coordinate appropriate release timelines. I will still hold Check Point accountable for putting their slides behind a registration wall.

  2. Even if you have deactivated Unknown sources you are still backed by verify apps, which won't let it install as it was meant for these situations.

    But well, if you they are deactivated by default in your phone or you have them disabled... good luck

  3. This comment has been removed by a blog administrator.

  4. Using Kaspersky anti-virus for a number of years now, and I would recommend this Antivirus to everyone.


Note: Only a member of this blog may post a comment.