Samsung S6 Edge has 11 nasties, says Google Project Zero team

Security probe-wielders from Google's Project Zero team in Europe and the United States have flayed the Samsung Galaxy S6 Edge, finding 11 nasty vulnerabilities in the flagship handset.

The informal hack-off focused on Samsung's latest OEM offering rather than the pure Android Nexus because of its popularity and therefore the necessity to make sure it is secure.

The team consists of James Foreshaw, Natalie Silvanovich, Mark Brand and others.

Tamagotchi defiler Silvanovich organised the affair, which produced means for attackers to forward Samsung emails to whatever address they please, own devices with media ala Stagefright, and pop phones with five memory corruption holes.

"A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge," Silvanovichsays.

"Over the course of a week, we found a total of 11 issues with a serious security impact.

"Several issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit."

Silvanovich tagged as most interesting a directory traversal hole (CVE-2015-7888) Brand found that allows files to be written as system.

"There is a process running a system on the device that scans for a zip file in /sdcard/Download/cred.zip and unzips the file. Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations," Silvanovich says.

"On the version of the device we tested, this was trivially exploitable using the Dalvik cache using a technique that has been used to exploit other directory traversal bugs, though an SELinux policy that prevents this specific exploitation technique has been pushed to the device since."

Samsung made good on its promise to patch quickly by throwing an over-the-air update 90 days after the disclosures were made. Three less-severe issues are, however, zero-day affairs for now.

Teams battled to attack three main attack surfaces of the Samsung S6 Edge that are reasonably consider the components of the exploit chain that can escalate to kernel privileges from a "remote or local starting point".

Specifically they had to:

1. Gain remote access to contacts, photos and messages. More points were given for attacks that don’t require user interaction, and required fewer device identifiers.
2. Gain access to contacts, photos, geolocation, etc. from an application installed from Play with no permissions
3. Persist code execution across a device wipe, using the access gained in parts 1 or 2

They team found two flaws with Samsung email including a JavaScript hole, and the means for malware to hide effectively. ®

Updated to add

A Samsung spokeswoman has been in touch to say some of the bugs have been, and the rest will be, fixed and issued to handset owners via Sammy's monthly security update program, which launched in October.

"In our first security update, we were able to provide solutions to eight of the more critical issues that were brought to our attention by Google as part of their 90-day reporting policy," she said.

"The remaining three issues will be included as part of our November security update which will be rolling out over the next couple of weeks. Samsung encourages users to keep their software and apps updated at all times.”