CyanogenMod updater prone to man-in-the-middle attack

CyanogenMod’s updater is prone to man-in-the-middle attacks because the app requests updates over an insecure connection. As a result, a malicious person can pre-inject updates with malware and offer them as an update.

The updater is accessing CyanogenMod’s server with an insecure connection, preventing the phone from checking if it’s connected to the correct server, says New Zealand hacker Kyh Wana, who reported the leak but hasn’t waited for a response. to publish its finding.

A malicious person can exploit the vulnerability by placing itself between the phone and the server and redirecting the updater to its own server. From there, the server can offer an update to the phone that has been provided with malware by a malicious person. The phone would download and install the update as a legitimate update. Because the phone’s request contains the codename, such as Hammerhead for the Nexus 5, someone who exploits the vulnerability can set up a server with updates for different devices and always serve the correct update for the device thanks to that request. The device also does not check whether the zip file it is going to flash is legitimate.

CyanogenMod has not yet commented on the leak. As far as is known, no one has exploited this vulnerability so far. Whether and when CyanogenMod will release a fix for this is unknown. Securing the connection by running it via SSL would be enough.