Qi Alfred Chen

Research Impact

Quick links: Media Coverage, Vulnerability Disclosures, Industry Discussions & Responses

Media Coverage

[Euro S&P'17] Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications

Five Components Of Autonomous Car Security , Forbes, 10/31/2019

Apps Available for Your Smartphone Could Steal Your Personal Information , WXYZ-TV (ABC afflicated), 06/28/2017

An Obsure App Flaw Creates Backdoors in Millions of Smartphones , Wired, 04/28/2017

Smartphone Security Hole , Michigan Engineering, 05/12/2017

Hundreds of Popular Android Apps Have Open Ports, Making Them Prime Targets for Hacking , TechRepublic, 05/02/2017

Open Ports Create Backdoors in Millions of Smartphones , Bleeping Computer, 04/28/2017

[S&P'16] MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era

US-CERT: Leaked WPAD Queries Could Expose Corporate to MitM Attacks , SecurityAffairs, 05/26/2016

When Domain Names Attack: the WPAD Name Collision Vulnerability , NakedSecurity, 05/25/2016

WPAD Name Collision Flaw Allows MitM Attacks , SecurityWeek, 05/24/2016

WPAD Name Collision Vulnerability - From US-CERT/Verisign , Reddit, 05/25/2016

US-CERT: Domain Name Collision Bug Could Result in MitM Attacks , SCMagazine, 05/25/2016

WPAD Name Collision Bug Opens Door for MitM Attackers, HelpNetSecurity, 05/24/2016
Stuck in the Middle: MitM Attacks Could Stem From Well-Intentioned WPAD Use, SecurityIntelligence, 05/26/2016
Michigan and Verisign Researchers Demonstrate New Man-in-the-Middle WPAD Query Attack, UMich EECS News, 05/26/2016
...

[Usenix Security'14] Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks

Android Attack Improves Timing, Allows Data Theft , Ars Technica, 08/24/2014

Researchers Find Way to Hack Gmail with 92 Percent Success Rate , CNET News, 08/21/2014

New Hack Could Steal Personal Information from Gmail, Other Popular Apps , CBS News, 08/21/2014

Gmail Smartphone App Hacked by Researchers , BBC News, 08/22/2014

Sneak Attack: Android Apps Can Spy on Each Other , NBC News, 08/21/2014

Android Apps can do a Sneak Attack and Ambush Each Other, Android Headlines, 08/22/2014
Sneak Attack: Android Apps Can Ambush Each Other, Tom's Guide, 08/21/2014
Malicious Android Apps Can Hack Gmail, PC Magazine, 08/22/2014
Android, Windows and iOS Vulnerability Allows 92 Percent Hack Success Rate For Popular Apps Like Gmail, HotHardware, 08/21/2014
Shared Memory in Mobile Operating Systems Provides Ingress Point for Hackers, UMich EECS News, 08/25/2014
...

Vulnerability Disclosures

US-CERT Alert TA16-144A: WPAD Name Collision Vulnerability
CVE-2016-3898: Privilege escalation vulnerability in Android Telephony service
CVE-2016-5227: Device authentication hijacking vulnerability in AirDroid
AndroidID-21669196: Privilege escalation vulnerability in Android Short Message Service (SMS) service
AndroidID-22541289: Privilege escalation vulnerability in Android Network Service Discovery (NSD) service
AndroidID-22806457: Privilege escalation vulnerability in Android Round-Trip Time (RTT) service
AndroidID-24776299: Privilege escalation vulnerability in Android GPS service
AndroidID-13887522: Privilege escalation vulnerability in Android Input Method Manager, Activity Manager, and Window Manager services
AndroidID-23782371: Privilege escalation vulnerability in Android Telephony and Telecomm service
AndroidID-25113145: Privilege escalation vulnerability in Android Telephony service

Industry Discussions & Responses

Email acknowledgements from Apple, Microsoft and Comcast on the reported client-side name collision vulnerabilities.
RIPE 72 discussion, 05/23/2016: Alert (TA16‐144A) WPAD Name Collision Vulnerability

Verisign's remediation suggestions for enterprise: White Paper: Enterprise Remediation for WPAD Name Collision Vulnerability

Response from AirDroid application team on CVE-2016-5227

Web
Analytics Made Easy - StatCounter