Motorola RAZR vulnerable, what's up with Motorola's update process?

Motorola RAZR vulnerable, what's up with Motorola's update process?

Summary: Update 05/27/2007: One of the comments in the talkbacks (thanks kd5auq!)mentioned that there is no patch to be downloaded for AT&T based Motorola RAZR phones.

SHARE:

Motorola RAZRUpdate 05/27/2007: One of the comments in the talkbacks (thanks kd5auq!)mentioned that there is no patch to be downloaded for AT&T based Motorola RAZR phones. I've no idea if Motorola currently or formerly supported AT&T based RAZRs, as I'm an iPhone kinda guy, but I'd be curious to see if anyone else has noticed this, knows if AT&T phones are vulnerable, is a Motorola rep that wishes to comment, or has had similar issues getting a patch for your phone. Also, I added two polls to the end of the article, feel free to contribute!

A sexy mobile vulnerability was released today by ZDI that really caught my attention.  Here are the details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola RAZR firmware based cell phones. User interaction is required to exploit this vulnerability in that the target must accept a malicious image sent via MMS.

The specific flaw exists in the JPEG thumbprint component of the EXIF parser. A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

-- Vendor Response: Motorola states: Together, ZDI and Motorola have identified a potential vulnerability related to viewing malicious, manipulated JPEG files affecting select RAZR-series devices.   Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases.

To ensure that you have the latest software load available for your device, please visit: http://direct.motorola.com/hellomoto/NSS/update_my_software.asp

So, what's a real bummer about this, and this is why I hate the disclosure brokers, is that no proof of concept code is released, leaving us with some real questions about the vulnerability.  Motorola says in the ZDI release:

"Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases."

Ok, what's the details then?  Why's it so tough to exploit?  It sounds pretty straightforward, user accepts malicious image sent through MMS, get's pwned.  What's so tough about that?  One-click to pwnage.  It's sent with an MMS, so you could adapt your approach.  Maybe you send it attempting to look like a popular bank, telling someone it's an image of their bank statement.  My message to Motorola is that if you say it is not an issue, back up why it is not an issue, don't leave us grasping at thin air for your reasoning.

Worse yet, I went to check out the Motorola update page, hoping they'd have more details (they did not), and I decided to enter in some fake information to see what there response was for a given phone.  I said I used t-mobile and had a Motorola RAZR phone, this is what was presented to me:

Motorola Software Update provides the latest approved software for devices in warranty. Please enter your date of purchase to determine warranty status.

Date entered here...

Check Warranty Status

You will be prompted if a backup and restore of your device is warranted. If a backup and restore is warranted, during the software update, all third-party media, including but not limited to, music, pictures, ringtones, and screensavers, will be deleted. You will need to reload all third-party media after the software update. Third party applications and some custom settings CANNOT be automatically restored after the device has been updated. Please note that during the update, you will have the opportunity to save your personal data.

Umm... so, apparently, I only get to be protected from this flaw if my phone is still under warranty.  Could someone with a Motorola RAZR or from Motorola please confirm whether this is the case?  If so, this is ridiculous.

[poll id=3]

[poll id=4]

-Nate

Topics: Collaboration, Hardware, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Apparently AT&T Razrs are not affected?

    When I click on the Motorola link you provide
    it allows me to use my computer to download the
    update ... BUT ... AT&T is not listed under the
    "carrier type" selection. Only T-mobile is a
    similar network type selection available.

    I've already "bricked" a Creative Zen MP3 player with an errant update from Creative Labs so I am not willing to risk it on a working phone!

    PS: I had to lie on the purchase date to be able to download the update to my PC!
    (I'm so ashamed!)
    kd5auq
    • WOW!

      Interesting, honestly I don't know that it's not affected... I would assume it is. I will update the post and ask the question.

      -Nate
      nmcfeters
  • Maria Sharapova nude! Download this now!

    nt
    georgeou
    • Come on George!

      I feel robbed, there was no link or MMS. Bummer.

      Totally would've taken the pwnage for those pics.

      -Nate
      nmcfeters
      • Yeah, me too :)

        "Totally would've taken the pwnage for those pics."

        Yeah, me too :). And I should know better.
        georgeou
      • These ZDNet forums allow for picture embedding too.

        These ZDNet forums allow for picture embedding too. Some pervert put some hard core pr0n in one of my talkbacks too and it actually showed up in-line on the first page of my blog. So if the images were malformed to take advantage of some zero-day or recent exploit that people haven't patched yet, you'd get owned.

        Now even if it wasn't on the front page of the blog posting, you just know that any man with a pulse will click on a "Maria Sharapova nude!" thread. Heck, you could embed a 2x2 pixel malformed image and it would be hard to spot.

        So the fact that the exploit requires some level of user interaction isn?t much comfort to the consumer. Even security experts like us can get caught with an image parsing exploit though we would probably know enough to say no to the UAC elevation prompt.
        georgeou
        • Interesting

          Interesting thoughts... my understanding is that the requirement is for the image to be passed through MMS, but realistically, we have no idea since ZDI and Motorola have provided no proof of concept code.

          For all we know, the MMS message might have been the only deployment vector that the attacker could think of.

          In any case, taking ownership of content (i.e. accepting user uploaded images) is a HUGE issue. I can't talk more about it now, though I wish I could. I'll just say that people watching Rios, Heasman, Carter, and my talk at Black Hat Vegas will definitely enjoy.

          -Nate
          nmcfeters
          • It wasn't a deliberate feature, but there are ways to do it

            It wasn't a deliberate feature and I still don't know how they managed to embed an image in to this forum, but there are ways to do it and I've seen it done.

            To me, an image exploit or flash exploit is about as serious as they get these days. The days of open firewall ports and self propagating worms are largely gone because of the built-in default-on firewalls in Windows and Mac OS. Exploits that take advantage of ubiquitous data parsing code is probably the most serious threat to the masses. Then again, isn?t the most popular bot on the net using purely social engineering?
            georgeou
    • How do you still have a job??

      ...after posting something like that?? Seriously.
      Techboy_z
  • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

    I hardly can believe this is the way a large consumer company like Motorola handles a severe security flaw. As far as I understand they say to their customers: There's a problem with some of the RAZR phones we sold but we won't tell you if yours is affected. If your phone is still under warranty, just do an update (don't care if its necessary or not, our updates are always worth spending your time with doing them. After all it's your time, not ours). And most important of all: Just don't worry, we will not help you anyway until your next phone purchase is lurking.
    I just thought of replacing my old RAZR by a current model because I prefer their keys to all those design crap made by Sony Ericsson and others, but that busted it. I will have to live with a Samsung in the future, I guess.
    hdn.de
    • Yep, they're practically pre-historic here

      This is the problem really... until a company gets flogged
      about the arse with security issues, they take this strange
      stance of "we're secure, this is not an issue". You can see
      Apple doing it in their most recent decision to treat null
      ptr deref issues as not worth fixing on the latest core
      release... you can also see it here.

      It's very much the stance that Microsoft used to take
      before going through their own growing pains.

      Honestly, while they aren't very transparent, I think Google
      has an interesting approach... they act kind of like, sure,
      hack us, just tell us about it and we'll thank you and fix it
      fast. Firefox is the same way (most times).

      -Nate
      nmcfeters
    • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

      Frankly, I love the Razr's hardware, but there's not much which can make the software much worse.
      As for having it wipe all my data before it can do a firmware update? Forget it! The PC software which came with the 'phone is so flakey, there's no way I'd trust the darned thing to ever work again, let alone restore everything.
      MY next one will probably be a Nokia again. Being an old fogey, I like the font size options they offer. The poxy unnecessary blue lines in the Razr's SMS window don't even let me distinguish a comma from a full-stop. What, do they think I can't type in a straight line without them?
      bicycle repair man
  • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

    Well the warranty check maybe due to the fact the update could brick your phone and Motorola just wants to make sure if that happens it wont cost you any money to get new phone
    mrlinux
    • No excuse

      If updates are so dodgy that they could brick your phone, no wonder Motorola is trying to poo poo this clear vulnerability as a non-issue... who wants to deal with all those angry calls?

      Seriously, that's no excuse for only allowing someone with a valid warranty to download a patch.

      -Nate
      nmcfeters
      • I agree.

        All they needed to do was accompany said firmware update with a warning, telling you that you update at your own risk, and you accept liability for any failure should it be outwith the warranty period.
        Skullet
  • Verizon uses its own software, so such a defect would never get fixed

    For Verizon phone owners, Motorola patches are irrelevant. Verizon would need to produce the patch, and support for older versions is spotty at best. Users generally have to take their phones into a store with tech support, which may or may not have the software.
    pattas
  • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

    To ensure that you have the latest software load available for your device, please visit:

    http://direct.motorola.com/hellomoto/NSS/update_my_software.asp

    Just tried that link and got:

    We're sorry...
    The page you requested doesn't exist in this location.

    Geez, I guess that the vulnerability no longer exists too!
    gczerw
  • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

    It could be worse. You could be running the Verizon software on the Razr. I think the hack might actually be a good thing if it gets rid of the Verizon software maybe?

    Anthony
    astrange1
  • RE: Motorola RAZR vulnerable, what's up with Motorola's update process?

    Just did the update, Guess what my phones battery went dead during te restore of the backup Yes even when connected over USB, leaving me with a six month old backup(yes i know I should backup more)

    But further the update just made GOOD improvements, less crashes, beter menu option, better language(dutch)
    Better sync. etc.

    Haven't found any obvious problems.

    Regards,
    Koru (Netherlands)
    beekmanmb@...
  • Motorola Patching

    Hi there,

    Just in case you're still curious, I took my almost 3yo RAZR and ran it through the update. This is the GSM version of the phone available in Australia and not locked or customised to any network. It was updated on a Win XP Pro SP3 PC.

    After lieing about the warranty status, it installed a program on my PC (that crashed, twice, before launching successfully and even then it stopped the phone communicating with the Motorola PC software that I was using to backup my contacts) that did the updating. The update went OK, though after it finished it did reset the phone to all "default" settings, and misreported the battery as 100% flat.

    No idea if the fault still exists though. Any idea how to test for it given the lack of available data on the exploit?

    Mikey
    mikey3211