The next time your smartphone suddenly shuts off, you might not know where it’s gone.
But in that case, a new server is not just your friend: It could be vulnerable to the same kinds of attacks as the one that wiped your phone or data in 2014.
In a paper published Wednesday, researchers from the University of Washington found that even a relatively simple server — like the one built into an iPhone, iPad or Android phone — can be vulnerable.
The new vulnerability is based on a bug in OpenSSL, a popular encryption standard used by internet-connected devices.
When a user’s iPhone starts shutting down, the phone’s network is shut down.
If the network is unplugged from the phone, that’s when the vulnerability starts.
The researchers discovered the vulnerability through an analysis of an older version of OpenSSL.
In the paper, they found a new vulnerability that they call a ‘vulnerability in source code’ that could be exploited by remote attackers.
In a separate paper, the researchers also found that the new vulnerability has the potential to allow attackers to compromise servers running OpenSSL-based products.
The research team was able to exploit the vulnerability in two different servers: an iPhone server and an Android server running an operating system that’s based on Android.
While the vulnerabilities in both the servers are the same, they do different things.
In the iPhone case, the vulnerability allows an attacker to run code that reads data from an arbitrary file on the device.
If an attacker can then execute code that creates a temporary file and stores it in a directory on the iPhone, the attacker can run arbitrary code in the directory, potentially triggering a denial of service or denial of access (ODA) attack.
In Android, the vulnerabilities are different.
In Android, attackers can read files from the user’s local storage (e.g., SD card) and execute code.
That allows an actor to perform a network attack on an Android device by downloading malicious code from a remote site.
The new vulnerability doesn’t affect the Android servers that run the Google Play Store, but the vulnerability does impact Android devices running older versions of OpenSSH.
The Google Play store is used by Google Play services like Google Chrome and Gmail, and Google Play is not the only app that the OpenSSh service relies on.
In addition to other applications that rely on OpenSShd, the service relies heavily on the OpenSSL library for encryption and authentication.
That library has also been exposed in the past by hackers, and it has been patched in Android versions from KitKat to Lollipop.
But the vulnerability that the researchers discovered in Android allows an unpatched OpenSSd to still be exploited.
“We don’t know exactly how this vulnerability works, but it does not require the user to be logged into their device,” said Daniel Kroll, the lead author of the paper.
“It doesn’t require any particular interaction with the Android system, and therefore it does allow a lot of attacks that were previously only possible with the remote code execution vulnerability.”
In addition to the new vulnerabilities, the team found a second, older vulnerability in OpenSSdh that allowed attackers to run arbitrary malicious code in arbitrary directories.
The researchers used the vulnerabilities to exploit two different versions of the vulnerability.
The second vulnerability only allowed attackers with physical access to the server to execute code, while the first vulnerability allowed attackers without physical access.
The team also found another vulnerability in the OpenSsh API that allows an untrusted user to read data from the server.
“This vulnerability does not allow the server-side attacker to do anything except read arbitrary data,” Kroll said.
“That is the only way a server can be hacked.”
The researchers also discovered two other vulnerabilities in the code that implements OpenSS dh: a bug that allows the server (a Google account) to execute arbitrary code and a memory leak vulnerability that allows a malicious server to leak data to another malicious server.
“These vulnerabilities allow for remote code injection, privilege escalation, and denial of services,” Krol said.
“All of these are things that we haven’t seen before in OpenSysh,” he said.
Kroll is now working with researchers from several countries to make OpenSS hsh available in the open, and he said he hopes the code can eventually be made public.
The open source project OpenSSHD has been around for some time.
The project’s GitHub repository currently lists about 1,000 commits and 1,700 pull requests, which were submitted from June 2013 to July 2018.
OpenSS is still not actively maintained.
“OpenSSh is open source, and its development is open,” Kritsch said.
He said he would like to see OpenSSid be made open source someday, and open it to anyone.
“That way, the public can be part of the development process, but developers and others can be included too.”
In an interview with Ars Technica, Kritsc said he’s not opposed to the