| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to Android smartphones being vulnerable to hacking has happened again within the same organization, Google. The article mentions that Google has fixed a security flaw in Chrome but Android users are still vulnerable because carriers and device manufacturers have not pushed those fixes or patches out to users [13247].
(b) The software failure incident of evading Google's "Bouncer" technology for identifying malicious programs in the Google Play Store has implications beyond one organization. The article mentions that Trustwave researchers discovered a technique to evade Google's security measures using a legitimate programming tool, java script bridge, which could be exploited maliciously. This indicates a potential vulnerability across multiple organizations that use similar tools for legitimate purposes [13247]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article as experts demonstrated methods to attack Android smartphones despite Google's efforts to boost protection [13247]. The vulnerabilities exploited by hackers, such as delivering malicious code through near field communications and exploiting security flaws in the Android browser, highlight design weaknesses in the system that allow for such attacks to occur. The failure to push security updates to users by carriers and device manufacturers also points to design flaws in the system's update and patch distribution process.
(b) The software failure incident related to the operation phase is seen in the article through the technique discovered by Trustwave researchers for evading Google's "Bouncer" technology in the Google Play Store [13247]. By using a legitimate programming tool called java script bridge, the researchers were able to remotely add new features to a program without going through the normal Android update process. This operation-related failure allowed them to load malicious code onto a phone and gain control of the browser, demonstrating how system operation and misuse can lead to security breaches and total control by malicious actors. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident discussed in the articles is primarily due to contributing factors that originate from within the system. The incident involves security vulnerabilities in Android smartphones that allow for the delivery of malicious code, exploitation of security flaws in the Android browser, and evading Google's security measures within the Google Play Store. These issues highlight weaknesses within the Android operating system and its associated features that can be exploited by hackers and malicious actors [13247].
(b) outside_system: The articles do not specifically mention any contributing factors that originate from outside the system leading to the software failure incident. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The article discusses how hacking experts demonstrated ways to attack Android smartphones using methods that work on virtually all devices, despite efforts by Google to boost protection [13247].
- The incident involved exploiting a security flaw in the Android browser that was publicly disclosed by Google's Chrome browser development team [13247].
- The researchers also discovered a technique for evading Google's "Bouncer" technology for identifying malicious programs in the Google Play Store by using a legitimate programming tool known as java script bridge [13247].
(b) The software failure incident occurring due to human actions:
- The article mentions that the researchers demonstrated methods for delivering malicious code to Android phones using new Android features like near field communications [13247].
- It is highlighted that carriers and device manufacturers have not pushed security fixes or patches out to Android users, leaving them vulnerable to attacks [13247].
- The researchers loaded malicious code onto their phones and remotely gained control of the browser, showcasing how java script bridge could be exploited maliciously [13247]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident occurring due to hardware:
- The article discusses how hacking experts demonstrated ways to attack Android smartphones at the Black Hat hacking conference in Las Vegas [13247].
- One of the experts, Charlie Miller, demonstrated a method for delivering malicious code to Android phones using the near field communications feature, which involves hardware interactions [13247].
- Miller also mentioned creating a small device that could be placed near a cash register to infect Android phones when they come into close proximity, highlighting a hardware-related attack method [13247].
(b) The software failure incident occurring due to software:
- The article mentions that hacking experts were able to infect an Android phone with a piece of malicious code that exploited a security flaw in the Android browser, which was publicly disclosed by Google's Chrome browser development team [13247].
- Additionally, the Trustwave researchers discussed a technique for evading Google's "Bouncer" technology in the Google Play Store by using a legitimate programming tool called java script bridge, which could be exploited maliciously to gain control of the browser and download more code [13247].
- These instances point to software-related vulnerabilities and failures exploited by the hackers during the demonstrations at the conference. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. Hacking experts demonstrated methods to attack Android smartphones, showing how malicious code could be delivered to devices using near field communications and exploiting security flaws in the Android browser. They were able to infect Android phones with malicious code, highlighting vulnerabilities that could be exploited by attackers. Additionally, researchers discovered techniques to evade Google's security measures in the Google Play Store, demonstrating how malicious code could be loaded onto phones and grant attackers total control [13247]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident described in the articles is more related to poor_decisions. The incident involved hacking experts demonstrating ways to attack Android smartphones despite efforts by Google to boost protection. The experts showed methods to deliver malicious code using new Android features like near field communications and exploiting security flaws in the Android browser. Additionally, the article mentions that carriers and device manufacturers have not pushed out fixes or patches to protect Android users, leaving them vulnerable [13247]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the article as it discusses how Android phones were vulnerable to attacks due to a security flaw in the Android browser that had been publicly disclosed by Google's Chrome browser development team. However, carriers and device manufacturers had not pushed out the necessary fixes or patches to users, leaving Android users vulnerable [13247].
(b) The software failure incident related to accidental factors is demonstrated in the article through the demonstration by Accuvant researcher Charlie Miller of a method for delivering malicious code to Android phones using a new Android feature known as near field communications. This method could allow an attacker to take over a phone by exploiting this feature, showcasing how accidental vulnerabilities in software features can lead to security breaches [13247]. |
| Duration |
permanent |
(a) The software failure incident described in the articles seems to be more of a permanent nature. The articles discuss various methods demonstrated by hacking experts to attack Android smartphones, highlighting vulnerabilities in the Android system that could potentially allow for malicious code delivery and exploitation of security flaws. These issues are not limited to specific circumstances but rather indicate ongoing vulnerabilities in the Android platform that could be exploited by attackers [13247]. |
| Behaviour |
value, byzantine |
(a) crash: The articles do not mention any specific incidents of software crashing.
(b) omission: The articles do not mention any instances of the system omitting to perform its intended functions.
(c) timing: The articles do not discuss any failures related to the timing of the system's functions.
(d) value: The software failure incident mentioned in the articles involves the exploitation of security flaws in Android devices, leading to the system performing its intended functions incorrectly. For example, the malicious code delivered to Android phones through near field communications allowed for taking over the phone [13247].
(e) byzantine: The software failure incident described in the articles involves the system behaving erroneously with inconsistent responses and interactions, particularly in the context of security vulnerabilities being exploited by hackers to gain control over Android devices [13247].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability exploit, where hackers demonstrated methods to attack Android smartphones, bypass security measures, and gain control over the devices [13247]. |