This is the main conclusion of the latest research analysis by mobile security company Kryptowire. Kryptowire details the pre-installed vulnerabilities in 10 devices sold by mainstream carriers in the United States. Chief Executive Officer of Kryptowire, Angelos Stavrou (Angelos Stavrou), and Research Director Ryan Johnson (Ryan Johnson) will present their findings at the Black Hat Security Conference on Friday. The study was funded by the Department of Homeland Security.
The potential consequences of these vulnerabilities can be large or small, such as locking the device to make the owner unusable, secretly accessing the device's microphone and other functions.
"this problem will not go away."-Angelos Stavrou, chief executive officer of Kryptowire
The Android operating system allows third-party companies to change code and customize to their own preferences, and those firmware vulnerabilities are such open by-products. There is nothing wrong with openness; it allows vendors to seek differentiation and give people more choices. Google will officially launch Android 9 Pie this fall, but eventually the new system will have a variety of versions.
However, those code changes can cause some headaches, including delays in security update push. As Stavrew and his team have discovered, they can also cause firmware vulnerabilities that put users at risk.
"This problem won't go away because many people in the supply chain want to be able to add their own applications, customize customizations, and add their own code. This increases the range of attacks that can increase the likelihood of software errors. Stavrew pointed out, "They expose end users to vulnerabilities that end users cannot handle."
Kryptowire's speech on Black Hat focused on devices from Asus, LG, Essential and ZTE.
Kryptowire's research is not about the manufacturer's intentions, but the widespread inferior code problems caused by the participants of the entire Android ecosystem.
Take ASUS ZenFone V Live as an example. Kryptowire found that the entire system of the phone was taken over, including screenshots of the user's screen.videoRecord, call, browse and modify text messages, and more.
"ASUS is aware of the security issues of ZenFone recently and is working hard to speed up the resolution through software updates. Software updates will be pushed wirelessly to ZenFone users." ASUS said in a statement, "ASUS is committed to protecting users' security and privacy. All users are strongly encouraged to update to the latest ZenFone software to ensure a secure user experience."
At this stage, to solve the mess caused by myself, pushing updates is the only thing ASUS can do. But Stavru expressed doubts about the effectiveness of this repair process. "Users must accept and install this patch. So even if they push it to the user's phone, the user may not install the update," he said. He also pointed out that on some models tested by Kryptowire, the update process itself was interrupted. The discovery was also supported by a recent study by German security firm Security Research Labs.
The attacks detailed by Kryptowire basically require users to install applications. However, while it’s normal to be able to circumvent potential attacks by insisting on using the official Google Apps store, Google Play, to download apps, Stavrew points out that those applications that make these vulnerabilities so harmful are those apps. No special permissions are required at installation time. In other words, the app doesn't have to entice you to give access to your text messages and call history. Thanks to flawed firmware, it's easy and quiet to get your text messages and call history.
Attacks can end up with a variety of consequences, depending on what device you are using. For ZTE Blade Spark and Blade Vantage, firmware flaws allow any application to access text messages, call data, and so-called log records (collecting various system messages, including sensitive information such as email addresses, GPS coordinates, etc.). On the LG G6 (the most popular model in Kryptowire's research report), vulnerabilities could expose log records or be used to lock devices out of reach of the owner. The attacker may also reset the Essential Phone and clear its data and cache.
"our team fixed the bug immediately after we realized it," said Sally Doherty (Shari Doherty), Essential's communications director.
You can't solve the problem yourself, and you can't find the problem early.
LG seems to have solved some potential problems, but it has not been completely solved. "LG has previously learned about these vulnerabilities and has released security updates to address these issues. In fact, most of the vulnerabilities mentioned in the report have been patched or have been incorporated into upcoming scheduled maintenance updates that are not related to security risks. The company said in a statement.
As for ZTE, the company said in a statement that it "has pushed security updates and is working with operators today to push for maintenance updates to fix these issues. ZTE will continue to work with technology partners and carrier customers, the future. Continue to provide maintenance updates and continue to protect consumer devices."
A spokesperson for AT&T confirmed that the operator had "deployed the manufacturer's software patch to solve the problem." Verizon and Sprint did not respond to requests for comment.
This series of statements shows progress, but it also highlights a key issue. Stavrew said that these updates may take several months to create and test, requiring multiple tests from the manufacturer to the operator to the customer. In the process of waiting for the update, you can't solve the problem yourself, and you can't find the problem early.
"One thing is certain, that is, no one guarantees the safety of consumers." Stavrew pointed out that "the vulnerability is deeply ingrained in the system, and consumers may not be able to judge whether it exists. Even if they realize its existence They have no choice but to wait for the manufacturer, operator or anyone who updates the firmware to help."
At the same time, this discovery is only the first of many discoveries that Kryptowire will eventually make public. (In order to allow companies to respond enough time, it has not disclosed all the findings.)
"We would like to thank Kryptowire's security researchers for their efforts to enhance the security of the Android ecosystem. The issues they outlined do not affect the Android operating system itself, but will affect third-party code and applications on the device." Google The spokesman said in the statement.
Third-party code and those apps don't seem to disappear in the short term. As long as they are still there, those hidden dangers will still exist.