Stagefright: How To Defend Against Future Messaging Vulnerabilities
Derek McElhinney, senior consultant at Openmind Networks, says mobile operators need to start taking the stagefright bug more seriously
Recently a security flaw on the Android operating system was discovered, highlighting a vulnerability that put more than one billion smartphones and devices at risk.
Dubbed Stagefright, the vulnerability allows an attacker to install malware on a user device operating system (OS) through a malicious video or audio attachment that can be delivered to a device via an operator’s multimedia messaging service (MMS), through other IP messaging services or web site downloads.
Vulnerable
According to TrendMicro, Android devices from 4.0.1 to 5.1.1 are vulnerable, representing 94.1 percent of all Android devices in use today. For mobile operators, their focus should be on the MMS messaging service, since this is a service that they offer to their subscribers. Due to the auto-download nature of MMS, users may not even have to select to download a message for an attack to happen, therefore adding protection in the mobile network, before the message gets to a user’s device is recommended.
Google and many handset manufacturers have already released OS updates to the affected Android handsets. However, the challenge here is that in many cases subscribers do not, or are slow to, install these updates to their devices – prolonging the issue.
Despite Stagefright being a vulnerability within the handset OS – and so largely out of operator hands – MMS service is something operators do have control over and it’s a core tent of their messaging revenue.
What actions have operators taken so far?
Some operators have already implemented protective measures such as disabling the auto-download of MMS services. But this not a long-term solution as disabling auto-download will, in the long-term, damage the perception of the MMS service, as it limits the subscriber experience. With increasing competition from OTT’s – and operator messaging revenue declining as a consequence – diminishing the MMS experience is not something operators should have to resort to.
Instead of limiting operator messaging services, Stagefright should provide a wake-up call to operators to get their security systems in order to ensure messages delivered – whether SMS or MMS – are virus-free, secure and authentic, to protect against Stagefright, future messaging vulnerabilities as well as Spam and Fraud.
Here are 3 ways operators can look to protect themselves and their subscribers:
1. Educate their subscriber base
It is not only the operators’ service that will be affected by malicious content, Stagefright can also be delivered via OTT apps (Whatsapp, iMessage, etc). With this in mind, education of the subscriber base is the best course of action for operators.
Operators need to highlight to users how to turn off auto-download of video attachments, which allow them to protect their handsets no matter which messaging service they use. This will enable subscribers to protect themselves, but will not mean that all users will choose to do so.
Operators may also want to work with handset manufacturers on behalf of their subscribers, to ensure that any handsets that operators sell are patched with the latest OS version to block such vulnerabilities.
2. Secure their MMS service by blocking all multimedia attachments
Operators can also do a few things with their existing MMS service to stop infected attachments.
Stripping all the video attachments is one such task. This means removing both good and bad videos from any MMS delivered, so that the virus does not reach the handset. But this is a drastic action; much like disabling of auto-download, it reduces the user service experience and damages the perception of MMS as a robust service. Instead operators must ensure they are aiding a positive customer experience, in order to sustain the revenue opportunity from messaging.
With this in mind, operators may want to only block content considered suspicious – this involves scanning each MMS for its content type and taking out any content that doesn’t pass the checks. This is a much better option, but requires software on the MMSC. This brings us on to our next point.
3. Implement Virus Checking on the Multimedia Messaging Service Centre
The biggest asset to an operator is their customer base, so it is in their interest to protect subscribers as much as possible – the key to which is offering an excellent user experience. Hence, the best solution for operators is to be pro-active and to scan MMS messages for malicious content and remove that content if it is found.
In order to do this efficiently, operators need to implement a Multimedia Messaging Service Centre (MMSC) that is capable of detecting and removing malicious multimedia elements from within MMS messages.
MMSC can be enabled with a content checking software which will scan all the multimedia elements in the MMS message. If a piece of multimedia content cannot be properly decoded then this will be stripped from the message.
This offers an alternative protective measure for operators, ensuring that their MMS service continues as normal, while removing the threat of these malformed video files affecting Android users. This also ensures that the operator can diminish any complaints from subscribers regarding their MMS service.
As hackers expand their reach, malicious content like Stagefright will continue to permeate. The good news is that operators can take action now to help protect themselves and their users against future vulnerabilities – ensuring the best possible user experience to subscribers, and avoiding damages to the perception of the MMS service or their messaging revenue.