This weekend saw xda-developers user alephzainpost a previously unknown and extremely dangerous Android vulnerability that affects most Samsung Galaxy S II, Galaxy Note II, international Galaxy S III, Nexus 4, some Sony Xperia devices, and possibly many others. The vulnerability is the result of a blunder that software quality control should have exposed. The flaw would allow any application on an affected device-including apps that do not use Android permissions-to read and alter any part of the device's memory. This episode provides another example of why it is important to give individuals more control over the devices they use.
Computer memory operates a little like a person's short-term memory. It can't hold much information at the same time, but at one point or other everything that a person sees, hears, thinks about, and recalls goes through his or her short-term memory.
In the same way, computer memory contains all information that the computer processes. This includes web traffic, bank information, personal notes and images, data that the user has decrypted, passwords, PIN numbers, and swipe unlock patterns.
Computer memory also contains the programs that the computer is executing. While an attacker could use this vulnerability to read and rewrite all user secrets, an attacker could also rewrite a program in memory and take control of the device.
Fortunately, the defense against the security hole is simple. It's so simple, in fact, that the defense has been in Android since the operating system first released in 2008. Android is based on a much older operating system component called Linux. Linux developers have always been aware of the danger of allowing access to memory. Many operating systems that use Linux disable user access to memory entirely. But when the functionality is enabled, it is appropriately secured in Linux by default.
That makes the vulnerability's appearance especially egregious. Samsung created another way to access the device's memory that looks just like the original mechanism but never fitted it with the same safeguards as the original. Samsung had to do something extraordinary to break Linux' security.
Samsung's error is a clear indication that device vendors need to do a better job of ensuring the quality of the software and hardware they offer. Both governments and consumers can and should play a role in making sure companies we trust with our personal data are making privacy a deliverable. But we can also make a more urgent and fundamental demand: allow individuals greater control over the devices they own.
Samsung was inexcusably negligent. But the Samsung corporation, in concert with mobile operators and Google, the creator of the Android system, has worked to ensure that the users of these devices cannot modify them to remedy the security hole themselves. Galaxy users are not free to modify the devices that they own.
The solution to the security hole is known, simple, and effective. Since Samsung makes the source code particular to these devices available, a community of developers identified, created, and distributed the fix to the public before Samsung even acknowledged there was a problem. Yet because individuals typically have limited permissions to modify their smartphones not everyone could install the fix.
Indeed, most of the affected devices come with digital locks that prevent anyone besides Samsung and mobile operators from altering the Android software. Owners can temporarily fix the problem, but the fix does not protect against even modestly sophisticated attacks. And device owners can't install new software that fixes the problem permanently because the bootloader is locked.
Samsung will release a fixed version of Android for affected devices. But no one knows how long it will take for the company to release a fix. Until then, millions of users will be vulnerable to attacks that use this weakness.
Meanwhile, Samsung also has the right to put digital locks on their devices, thanks to the to the Digital Millennium Copyright Act. These locks, like locked bootloaders, keep users from safeguarding their own privacy by preventing greater individual control over device software. Device owners have temporarily won the right to forcefully disable these locks. But a simpler, more respectful, and safer solution would be to ship devices without digital locks enabled in the first place.
