An Android/Linux bug left about one billion mobile phone users exposed to insertion of malware. Ars Technica says that in order to remain secure while performing something as simple as browsing among websites, the user needs to assure all communications in use are encrypted, else the bug provides a pathway for hackers to insert malware.
In a Recode article, Google says this is a high-risk flaw that requires a user to download a malicious app in order to be affected. Not all agree with Google. Lookout researcher Andrew Blaich told Ars Technica that no voluntary download is needed, instead just one unguarded minute is needed for the hacker to inject malware.
Although a vast number of consumers are potentially exposed by this bug, the hacker would need to know which web sites a specific user frequents. That limits the convenience of exploiting the bug and makes it more suited for an attack on a specific person, not on all users of a website or all users of a payments system such as happened in Target stores.
When NSA becomes aware of a bug or vulnerability, it faces the decision to fix it (or advise software owners to fix their software), or to stay quiet in the hope that no one else knows about it so that it could be used by NSA in the future, i.e. “horde the vulnerability” for use in clandestine surveillance. Both paths are in alignment with NSA’s mission. Fixing vulnerabilities generally helps consumers, government and industry and would be the default course of action. Presumably NSA would want to fix this bug because of its predictably short shelf life. NSA is unlikely to be the only party aware of the Android/Linux bug for long.
Whether NSA often hordes vulnerabilities has been a dispute, but a recent stash of hacking exploits put up for auction suggests NSA may do more stockpiling than it admits. So-called Shadow Brokers offered 300 megabytes of NSA cyber-weapon code on the Internet. Current thinking is that NSA placed the tools on a server for use in a project and a lapse in security allowed them to be copied by rogues. The weapons are vintage 2013 but seem unrelated to Snowden’s theft of NSA tools and documents. The weapons are a mix of vulnerabilities that have been independently discovered and fixed since 2013, and some that had remained unknown until now. That some remain fresh (i.e., were “first day” exploits) suggests NSA knew of them but hoarded them for 3 years.
Android and Linux are not uniquely flawed. In August 2016, Apple’s operating system software, iOS 9.3.5 contained 3 vulnerabilities not previously known to Apple. The three were used by the Israeli NSO Group to concoct a particularly capable iPhone surveillance exploit that captured location and all messages in and out of a UAE activist’s iPhone. NSO purportedly does not operate its own exploits and claims it sells exploit software only to government agencies for lawful uses. For example, it is believed that NSO exploits helped the FBI crack the iPhone of the San Bernardino terrorists.
It is easy to say “no bugs” but perfection is devilishly difficult to deliver, especially if the product is subject to competitive forces calling for the addition of innovations. In practice the best we can hope for is that hackers are slow to exploit, consumers always behave prudently and software makers react quickly when a bug is found.