Dr Simon Wiseman by Dr Simon Wiseman | | Blog

With the news that Android phones could be hacked by simply looking at an image, Deep Secure CTO Dr Simon Wiseman assesses the risk and wonders whether - given the love of all things feline on the Internet - cat photos could really take over Android phones?

Google have just announced a security flaw in the way Android devices handle PNG images. This is very bad. It means pictures of cats can be used to take over Android phones.

Apparently it’s a heap overflow in the SkPngCodec, this is code which is used to display PNG image files. Potentially any application handling PNG files that have been carefully crafted by an attacker can end up running the attacker’s code. This means your web browser can fetch a crafted image from a web site and the attacker now is in control of your browser and its environment. They then have access to your stored passwords and you’ve given away access to all the secure sites you visit. The same goes for your email client – the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organisation. 

But Google are a responsible organisation, and the announcement was held back until a fix is in place. Except patches to phones are rolled out slowly. That means today is the zero day for this attack and it might be weeks until it is defeated. It’s a bad place for such a vulnerability to turn up.

How could this happen?

The PNG file format is well defined – it’s one of the best specifications around for this sort of thing. The basic structure of a PNG is simple, and its hard to see how a mistake like this could be made handling it (not like GIF which suffered in the past from a buffer overflow due to its slightly crazy structure). The compression algorithm used is well understood and well used. But there are some complex parts to the format, in particular the way it handles different colour formats and interleaved scanlines. It’s not impossible to imagine the library making a mistake here, when it tries to reorder the scan lines into display order it has some tricky calculations to do to fill the buffer correctly. And PNGs can contain ancillary data, such as colour profiles, which are very complex structures that, if malformed, might be mishandled. These sort of mistakes are very hard to find through testing, because it’s not really possible to anticipate all the ways things could go wrong and there are too many possibilities to systematically check them all.

What can the average Android user do right now? First off make sure you take all the updates available, and keep doing this daily for the next few weeks. Second, tell your mobile browser to forget all the passwords it holds. 

What’s to be done once the panic is over?

Most will relax and be thankful that the problem has been found and fixed. But anyone concerned with defending systems against cyber-attack will be wanting to know if anything could have been done to defend against the attack before it was known about, and what can be done to defend against the next one of this kind before it happens. 

What’s clear is that trying to detect problems like this does not work. They cannot be anticipated so you don’t know what to look for. The attacker will always be able to evade any attempts to detect their attack. That’s why Deep Secure defends systems against content based attacks without trying to detect the problem. Instead Content Threat Removal is used to eliminate the threat without needing to detect it. A system of Information Extraction is used to lift the valuable information content out of the incoming data. The data is discarded, and new data is created in its place to carry the extracted information. The attacker cannot influence how this new data is built, so is unable to deliver malformed data to the destination. The extraction process is designed to cope with malformed data, but even if it is tripped up by it, the damage is contained (in very high assurance deployments this is done using specialised hardware logic) and does not propagate into the protected system.

The proof of Content Threat Removal comes from demonstrating that new attacks, such as this PNG buffer overflow, were defeated by versions of the product that predate it. Researchers have not yet released samples of the attack, but when they do, we will be able to show that our defences already defeated it.


View all posts