A 17 years old by has developed a malware proof of concept for Firefox OS. He will be presenting its research in a convention in November. He states that his application allows to perform some potentially unwanted remote tasks over the device, and that is able to control it sending remote commands.
First of all, security model
According to Firefox OS security model, "uses a defense-in-depth security strategy to protect the mobile phone from intrusive or malicious applications. This strategy employs a variety of mechanisms, including implicit permission levels based on an app trust model, sandboxed execution at run time, API-only access to the underlying mobile phone hardware, a robust permissions model, and secure installation and update processes". So far (except the way hardware is accessed), nothing that any other operative system doesn't implement (and nothing that really may stop "infections").
Something that, in some way, may make a difference in Firefox OS, is how it classifies permissions in apps. There will be three different kinds:
- Certified: the ones installed by the vendor and critical functionality (telephone, SMS, bluetooth, clock, camera...). They will be able to access any API. For example, only certified apps (the ones coming with the device) will be able to make phone calls.
- Privileged: The ones reviewed, approved and digitally signed by an authorized marketplace. They will have access to a subset of APIs accessible to certified ones.
- Untrusted: The other ones that will not be in a market. These will have only access to a subset of APIs that may not make any harm.
Differenciate between the "what" and the "how"
A teenager has created an application that makes unwanted actions on the system. He talks literally about "infecting" and "control like a botnet". About sending commands to access SD card, about "spooking the user remotely controlling FM radio", "upload and download multimedia files". It seems to be able to control certain device apps, but we do not know how far it may go.
|Official description in http://g0s.org/key-focus-areas/|
What may attract some attention is the state about controlling other apps (he specifically talks about controlling FM radio). Talking about "sending commands" invites to call it "malware", too, though, once the application is installed, it seems quite easy to send commands... so in general, the problem is not so much "what" does this proof of concept do, but "how", how does it get the necessary permissions and how it got to get them. With the information we have, we guess the user launches an application hosted in a server and accomplish some tasks that may be potentially unwanted by the user.
More questions than answers
To get to the real scope of the statement, we should answer these questions.
- Is this program able to bypass some security restriction in Firefox OS? This would include elevation of privileges, accessing without permissions to privileged API, bypass security dialogs, warnings that could alert the user... any way that implies bypassing, breaking or evading Firefox OS security model. It seems to do that, but it's not clear.
- Does the malware replicate itself in some way, for example leveraging some vulnerability or design flaw? Does not seem so. If Gawde had found a way to spread a program without human interaction, that would have been breaking and disturbing news. But, with the information we have, it does not seem to be the case.
- Does the malware hide itself in some way, for example in legit apps? It does not seem so, either. It would have been interesting if a way of launching hidden or embedded apps had been disclosed, just as the first "virus" did. What may be a problem with Firefox OS is, that confusing or obfuscated URLs hiding apps would execute just with a click... and that has been alerted since long ago.
- Are special circumstances needed for the proof of concept to work? Are just some devices vulnerable?, Does it work with default configuration? Or is is necessary to keep some service, or app working...?
- Does it use any technique to hide its execution from the user? Something that attracts attention is that the developer itself says "there is no way to detect the attacks or even stop them". In security, such convincing assertions are usually misguided. We suppose he refers to a model where an URL is visited and it results in an app executing that starts, without user interaction, some information exchange between the "victim" and the attacker, that may control the device.
Anyhow, the "malware" or any other in the future will not be exactly a surprise. When execution of uncontrolled applications and alternative "markets" are allowed, abuse is practically guaranteed. Although it's through restricted applications, many of them will not need special permissions to infect with "adware" and show ads, and some other may just find some ways to bypass permissions leveraging vulnerabilities or design flaws.
A Firefox OS spokesman states that possible, Gawde relied on developer mode functionality, which is common to most Smartphones but disabled by default. In addition, we believe this demonstration requires the phone to be physically connected to a computer controlled by the attacker, and unlocked by the user. In other words, they think he has "cheated". Of course, they try to downplay the issue because of the lack of information.
So, without any more actual data, the headline should be that a researcher has possibly found a design flaw or a way to bypass some security in Firefox OS, executing privileged remote actions on the device. But we can't be sure yet. What is for sure is that, talking about "malware" confuses the user, that may feel menaced without an actual reason to... yet.
Sergio de los Santos