Millions of Android Devices Are Vulnerable Right Out of the Box. Android smartphones from Asus, LG, Essential, and ZTE are the focus of a new analysis
aboutfirmware bugs introduced by manufacturers and carriers. Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link,or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination
The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn’t have to be there.
Instead, they’re a byproduct of an open Android operating system that lets third-party companies modify
Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates. They can also, as Stavrou and his team have uncovered, result in firmware bugs that put users at risk. “The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error,” Stavrou says. “They’re exposing the end user to exploits that the
The Black Hat talk focuses largely on devices from Asus, LG, Essential, and ZTE. That last one should pique some interest; DHS has suggested that the China-based company poses a security threat, though the agency hasn’t shared any concrete evidence to that effect.
And while DHS-funded, the Kryptowire study doesn’t provide that, either. Rather than focusing on manufacturer intent, it looks at the endemic problem of bad code pushed by participants in the broader Android ecosystem. Take the Asus ZenFone V Live, which Kryptowire found to leave its owners exposed to an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more.
“Asus is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users,” the company said in a statement. “Asus is committed to users’ security and privacy and we highly encourage all users to update to the latest ZenFone software to ensure
The attacks Kryptowire details do largely require the user to install an app. But while that’s normally a decent limiting factor for potential hacks—stick with the Google Play Store, folks—Stavrou says that what makes these vulnerabilities so pernicious is that those apps don’t need to have special privileges when you install them. An app wouldn’t, in other words, have to trick you into granting access to your text and call logs. It would take it, simply and silently, thanks to the device’s broken firmware.
That scenario could lead to a variety of outcomes, depending on the device. For the ZTE Blade Spark and Blade Vantage, firmware flaws would allow any app to access text messages, call data, and the so-called
“Once we were made aware of the vulnerability, it was immediately fixed by our team,” says Essential head of communications Shari Doherty. There’s nothing you can personally do to fix the problem, or realistically even identify it in the first place. LG appears to have addressed some but not all of the underlying issues. “LG was made aware of the vulnerabilities and has introduced security updates to address these issues. In fact, most of the reported vulnerabilities have already been patched or have been included in upcoming scheduled maintenance updates not related to security risks,” the company said in a statement.
As for ZTE, the company said in a statement that it has “already delivered and/or is working with carriers today to deliver the maintenance releases that fix these identified issues. ZTE will continue to work with technology partners and carrier customers to deliver future and on-going maintenance releases that continue to protect devices for consumers.” An AT&T spokesperson confirmed that the carrier had “deployed the manufacturer’s software patches to address this issue.” Verizon and Sprint did not respond to requests for comment. T-Mobile deferred to the CTIA, a wireless industry trade association, which in turn declined to comment until it had a chance to review the Kryptowire findings. The parade of statements shows