‘Towelroot’ exploit reveals security nightmare for Android

A new Android rooting method publicized by noted white hat (white hat=good guy) hacker George Hotz aka “geohot” has been causing quite a stir in the Android tweaking community as it gives the user root privileges on devices that root had not yet been achieved. The exploit, which is done by simply installing an app, is known as “Towelroot.” Hotz announced his finding on xda-developers and hosted the .apk file for the app on towelroot.com.

First, a little background

For those that are not as familiar with what it means to root a device, rooting means giving the user access to all files and directories on the device. The reason that is not the case by default is basically to prevent a novice user from rendering their device unusable by accidentally making changes to files that are crucial for stable operation.

A secondary purpose for devices being “unrooted” by default is that this keeps apps that aren’t built into the operating system from accessing those regions of the file system. This is an important security precaution that keeps untrustworthy apps from silently doing things like turning on the GPS and logging your location, turning on your camera and downloading that information, or a variety of other things that the worst sort of malware might want to do.

People that like to tweak and know what they are doing like to gain root access so they can customize their device further than what is possible without that access. They will be selective about which apps they grant root access and most software used in these situations is open source, so users can verify that nothing nefarious is going on.

What’s so special about Towelroot?

Towelroot gains root access by exploiting a vulnerability in the kernel of Android, which is based on Linux and is a very basic component of the device that basically acts as a middle-man to make the operating system and the physical hardware talk to one another.

The kernel more or less translates the requests of the software into commands for the processor and other internal components and vice versa. Each device will have a unique kernel since every device is using different equipment, but there are key components of the kernel that are unlikely to be changed so long as the operating system is Android.

This is why many people reacted to the release of Towelroot with great excitement: because almost all Android devices will share this exploit, Towelroot can likely root almost all Android devices. And because it is done via an app, it is really easy to do. Normally root is achieved by inputting commands and uploading files to the device from a computer. It’s complicated and we won’t get into it here.

George Hotz is a trustworthy guy who has notably jailbroken iPhones before as well as the PS3. Towelroot is, by all indications, completely trustworthy and remarkably good at what it is intended to do: grant root access to moderately competent or better Android enthusiasts and developers.

Still, this is a nightmare

See, the part of the kernel Hotz took advantage of is so basic that it is present in almost all of today’s Linux kernels. Not just those that appear in Android devices, but with various Linux distributions that run on computers and web servers. The exploit was discovered by an anonymous teenage code reviewer known as “Pinkie Pie” in this context and was publicized to encourage Linux developers to update the kernel.

Very quickly, it was patched and it shouldn’t take long for computer and server-based users to receive the patch. It’s not that easy with Android devices, where updates must be created by the manufacturer and then also approved by the carrier. Too often, older devices are given up on by their manufacturers and an update to patch this is just very unlikely. Even for newer devices, having the carrier middle man in the process will likely slow things down considerably in getting updates out.

When this can exploit can be used by an Android app, it is especially serious. Reddit user BitMastro explains this very well in plain English:

. . .the app runs some code, the code crashed [sic] android and leave it confused, in its confused state it thinks that the app should be root, then the app installs something to allow other apps to become root.

This all happens without the user knowing a thing. When one achieves root on purpose, you include software that tells you every time an app wants root privileges and lets you allow, deny, or give a probationary period of access to the given app. If this exploit is achieved by someone less trustworthy than Hotz, there won’t be any obvious indications that it has happened.

Unfortunately, it would be very easy to do this. Imagine you are a software developer who is, well, evil. You have an app that many people have downloaded. Knowing about this exploit, you create an update to your app that runs a script as described earlier and then…

With the right coding chops, you could do a lot of harm.

There are not yet any reports of this happening, but it very well can happen and it is unlikely that nobody will attempt it. If you are running a version of Android that hasn’t been updated since June 3, you may be vulnerable. If you are concerned, do not install updates to apps that you don’t trust. Make sure to disable auto-updates by going to the Play Store and going to settings.

Featured image by Danny Choo (Flickr).