CyanogenMod allegedly susceptible to Man-in-the-Middle attacks due to negligence

CyanogenMod allegedly susceptible to Man-in-the-Middle attacks due to negligence
Being the most popular 3rd-party ROM for Android, CyanogenMod surely basks in a lot of popularity from those Android users who are into custom firmwares. Unfortunately though, it appears that the ROM might pose a lot of security threats to its users, as it is allegedly susceptible to MitM (Man in the Middle) attacks. Discovered by an anonymous security researcher, the breach has the potential to bring some trouble in paradise for those who make use of CyanogenMod and the numerous other ROMs that derive from it.

The reason for this extremely serious breach is pure negligence. See, the researcher claims the team behind CyanogenMod has just “copy-pasted” an outdated code sample of Oracle's Java 1.5. The code is used so as to parse certificates and take cold of hostnames, but suffers from an old bug and is by no means resistant to MitM attacks.


The anonymous researcher has subsequently tried to reach up to Cyanogen and inform them about the gaping hole in CyanogenMod's security. Hopefully, the team behind the popular ROM has undertaken the necessary actions and will fix the flaw.

FEATURED VIDEO

11 Comments

1. Planterz

Posts: 2120; Member since: Apr 30, 2012

That ain't good. I expect it'll get fixed quickly on official releases, but there's lots of unofficial ports as well legacy devices that no longer get updates. Of course, I have no idea what the heck this security flaw actually means. It's all mumbo-jumbo to me.

2. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Basically it lets a bad thing happen. As an idea, lets say you were doing online banking, either via text or web. A man in the middle, litterly is a middle attack, meaning the middle man gets both data sent and received from the handset. And since it is signed, most likely wont come up on security sweep or at least not till it is to late. Better explanation than me is here:http://www.veracode.com/security/man-middle-attack

3. duartix

Posts: 311; Member since: Apr 01, 2014

MIM attacks are useless if you have an asymmetric encryption scheme based on a PKI (public key infrastructure). Anyway, this doesn't look hard to solve.

4. remixfa

Posts: 14605; Member since: Dec 19, 2008

Most holes aren't hard to solve. Its more of finding the right line of code to fix among thousands and millions of lines.

10. sprockkets

Posts: 1612; Member since: Jan 16, 2012

Actually according to CM, the bug isn't actually even there: https://jira.cyanogenmod.org/browse/BACON-1687?jql=text%20~%20%22man%20in%20the%20middle%22 "KitKat does not use JSSE - Android 4.4 is not affected"

5. TheMan

Posts: 494; Member since: Sep 21, 2012

FYI, given the use of "organisation," the spelling of "tonne" is properly used and does not require the "[sic]" notation.

6. mike2959

Posts: 696; Member since: Oct 08, 2011

What do you expect? A bunch of hackers getting hacked.

7. Whitefur

Posts: 27; Member since: Oct 13, 2014

Calling people who install custom firmware to their device "hackers" is giving them too much credit...

9. sprockkets

Posts: 1612; Member since: Jan 16, 2012

Then again, hacking has nothing to do with "cracking" or "crackers", but we all gave up trying to have people use the right terms anyhow huh? I mean, a person who does a crappy cheap ass job doing something is a "hack job", but has nothing to do with computers, eh?

8. wkm001

Posts: 145; Member since: Feb 04, 2014

I use CM on my OnePlus One. I honestly don't care about this one.

11. tasior

Posts: 265; Member since: Nov 04, 2012

Everything is susceptible to Man in the Middle attacks. Communication is not susceptible to man in the middle attacks, only if it checks certificate in its own trustworthy certification authority. That is hardly the case. Usually, it checks with public certification authority, where You can, become trusted key owner, just by registering.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.