CVE-2019-2234 details massive security vulnerability for Google and Samsung Camera Apps

[WillyW]

I hope you all are updating your Samsung and Google devices. If you have you will have noticed an update for the camera app would have been pushed of late. Also if you installed the Google Camera App on your non pixel phone you should get the latest version.

 

There has been a CVE released that details by the same research team that discovered the vulnerabilities on Google/Amazon smart home devices (Checkmarx). The vulnerability allows you to:

 

Quote

• Take a photo using the smartphone camera and upload it to the command server.
• Record video using the smartphone camera and upload it to the command server.
• Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
• During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
• Capture GPS tags from all photos taken and use these to locate the owner on a global map.
• Access and copy stored photo and video information, as well as the images captured during an attack.
• Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
• The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.

 

Essentially turning your phone into what Google already does, track everything you do. The exploit would require an app to be installed and one permission enabled:

 

Quote

This app didn’t require any special permissions other than basic storage access.

 

Given that this type of exploit exists and the same research team was able to discover two major other exploits on similar type of devices, it would stand to reason that there are other very bad vulnerabilities out in the wild, being sold for profit by groups like ]HackingTeam[.

 

Quote

Indeed, Thornton-Trump observed that had the security researchers been wearing black hats they could easily have monetized this research for hundreds of thousands of dollars. “Everyone is safer today because of the great work and integrity of the Checkmarx researchers,” Thornton-Trump says.

 

It's like Windows XP in the early 2000s all over again. The fragmented nature of patching devices for android has been in the spotlight and STILL manufacturers are not waking up. Maybe because they have their own track everything you do apps.

 

Also a reason why certain lawyers for famous politicians should not take their devices to a consumer repair store.

 

Currently the CVE database doesn't list this bug yet.

 

https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2019-2234

 

Here is the article link:

https://www.forbes.com/sites/daveywinder/2019/11/19/google-confirms-android-camera-security-threat-hundreds-of-millions-of-users-affected/#742d4e4f4e12

 

The author is a little dramatic.

Edited November 22, 2019 by WillyW
Correction & addition

[Commodus]

15 hours ago, WillyW said:

Essentially turning your phone into what Google already does, track everything you do.

Can we get away from hyperbole like this?  Even as someone who's deep in the Apple ecosystem I know that Google isn't that pervasive.  And I think the "omg Google is spying on everything you do" rhetoric prevents us from addressing the specific areas where Google might overstep its bounds and, y'know, solving the problems.

[Fnige]

8 hours ago, Tedny said:

So, another one?! 

aaaaanother one

[rcmaehl]

3 minutes ago, SlimyPython said:

aaaaanother one

DJ Dataleakkkkk

[Fnige]

2 minutes ago, rcmaehl said:

DJ Dataleakkkkk

back in the servers boiiiiiiii

[Bananasplit_00]

Well then. Guess I'll have to dig up somewhere to get the Google camera app for my G6 again and hope that it will be updated