Millions of Android devices shipped with firmware vulnerabilities

Android smartphones from Asus, LG, Essential, and ZTE are in the spotlight in a new study of firmware vulnerabilities caused by manufacturers and carriers.

Recently, according to a report by Wired, researchers have discovered that millions of Android devices have firmware vulnerabilities when they are shipped, making them vulnerable to attacks, and users are defenseless.

Smartphone crashes due to security issues are often self-inflicted: you clicked the wrong link or installed a problematic app. But for millions of Android devices, these vulnerabilities have long been lurking in the firmware, and it was only a matter of time before they were exploited. Who is responsible for this? To some extent, both the manufacturers who make the devices and the carriers who sell them are responsible.

[[239932]]

That's the main conclusion of a new analysis from mobile security company Kryptowire, which details vulnerabilities pre-installed on 10 devices sold by major U.S. carriers. Kryptowire CEO Angelos Stavrou and research director Ryan Johnson will present their findings at the Black Hat security conference on Friday. The research was funded by the U.S. Department of Homeland Security.

The potential consequences of these vulnerabilities range from minor to major, from locking the device so that the owner cannot use it to secretly accessing the device's microphone and other functions.

“This problem is not going away.” — Angelos Stavrou, CEO of Kryptowire

The Android operating system allows third-party companies to modify the code and customize it to their liking, and those firmware vulnerabilities are a byproduct of this openness. There is nothing wrong with openness itself; it allows manufacturers to seek differentiation and gives people more choices. Google will officially launch Android 9 Pie this fall, but eventually the new system will have a variety of versions.

But those code changes can cause headaches, including delays in delivering security updates, and, as Stavrou and his team discovered, they can also lead to firmware vulnerabilities that put users at risk.

“This problem is not going away because many people in the supply chain want to be able to add their own applications, customize them, and add their own code. This increases the attack surface and the likelihood that the software will fail,” Stavrou said. “They are exposing the end user to vulnerabilities that the end user cannot address.”

Kryptowire's talk at Black Hat focused on devices from Asus, LG, Essential, and ZTE.

Kryptowire's research focuses not on the intentions of manufacturers, but on the widespread problem of poor code that is caused by participants in the entire Android ecosystem.

Taking the ASUS ZenFone V Live as an example, Kryptowire found that the entire system of the phone was taken over and controlled, including screenshots and video recordings of the user's screen, making calls, browsing and modifying text messages, etc.

"ASUS is aware of the recent ZenFone security issues and is working to expedite resolution through software updates that will be pushed to ZenFone users over the air," ASUS said in a statement. "ASUS is committed to protecting the security and privacy of its users, and we strongly recommend that all users update to the latest ZenFone software to ensure a secure user experience."

At this stage, pushing updates is the only thing Asus can do to fix the mess it has created. But Stavrou is skeptical about the effectiveness of this patching process. "The user has to accept and install the patch. So even if they push it to the user's phone, the user may not install the update," he said. He also pointed out that on some models tested by Kryptowire, the update process itself was interrupted. This finding is also supported by a recent study by German security company Security Research Labs.

The attacks detailed by Kryptowire essentially require users to install an app. However, while a good way to circumvent potential attacks is to stick to Google Play, the official Google app store, for downloading apps, Stavrou points out that what makes these vulnerabilities so harmful is that the apps don't require special permissions to be granted when they are installed. In other words, the app doesn't have to trick you into giving it permission to access your text messages and call logs. Thanks to the flawed firmware, it can easily and silently obtain your text messages and call logs.

The attack could ultimately lead to a variety of consequences, depending on which device you're using. In the case of the ZTE Blade Spark and Blade Vantage, the firmware flaws allow any app to access text messages, call data, and so-called logging (collection of various system messages that could include sensitive information like email addresses, GPS coordinates, etc.). On the LG G6 (the most popular model in Kryptowire's research), the vulnerability could expose the logging or be used to lock the device so that the owner can't access it. An attacker could also reset the Essential Phone, clearing its data and cache.

"Once we were made aware of the vulnerability, our team immediately worked to fix it," said Shari Doherty, Essential's head of communications.

You are completely unable to solve the problem yourself, nor can you detect the existence of the problem early.

LG appears to have addressed some of the potential issues, but not completely. "LG was previously aware of these vulnerabilities and has already released security updates to address them. In fact, most of the reported vulnerabilities have already been patched or are already included in upcoming scheduled maintenance updates that are not related to security risks," the company said in a statement.

As for ZTE, the company said in a statement that it "has already pushed out security updates and is working with carriers today to push out maintenance updates that fix these issues. ZTE will continue to work with technology partners and carrier customers to provide ongoing maintenance updates in the future to continue protecting consumers' devices."

An AT&T spokesperson confirmed that the carrier has "deployed the manufacturer's software patch to address this issue." Verizon and Sprint did not respond to requests for comment.

The flurry of announcements shows progress, but it also highlights a key problem. Stavrou said the updates can take months to create and test, and need to go through multiple checkpoints from manufacturers to carriers to customers. While you're waiting for updates, you can't fix the problem yourself or detect it early.

"One thing is certain: no one is protecting consumers," Stavrou said. "The vulnerability is so ingrained in the system that consumers may not be able to tell it exists. Even if they are aware of it, they can't do anything about it except wait for the manufacturer, carrier or whoever updates the firmware to help."

In the meantime, this discovery is just the first of many that Kryptowire will eventually make public. (It hasn’t yet made all of its findings public, in order to give companies time to respond.)

"We would like to thank the security researchers at Kryptowire for their work to strengthen the security of the Android ecosystem. The issues they outlined do not affect the Android operating system itself, but do affect third-party code and apps on devices," a Google spokesperson said in a statement.

Third-party code and those applications don't seem to be going away anytime soon. As long as they're there, the potential for headaches will remain.