Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you.
That’s the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday.
The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn’t have to be there.
‘The problem is not going to go away.’
Angelos Stavrou, Kryptowire
Instead, they’re a byproduct of an open Android operating system that lets third-party companies modify code to their own liking. There’s nothing inherently wrong with that; it allows for differentiation, which gives people more choice. Google will release a vanilla version of Android Pie this fall, but it’ll eventually come in all kinds of flavors.
Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates. They can also, as Stavrou and his team have uncovered, result in firmware bugs that put users at risk.
“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error,” Stavrou says. “They’re exposing the end user to exploits that the end user is not able to respond to.”
The Black Hat talk focuses largely on devices from Asus, LG, Essential, and ZTE. That last one should pique some interest; DHS has suggested that the China-based company poses a security threat, though the agency hasn’t shared any concrete evidence to that effect.
And while DHS-funded, the Kryptowire study doesn’t provide that, either. Rather than focusing on manufacturer intent, it looks at the endemic problem of bad code pushed by participants in the broader Android ecosystem.
Take the Asus ZenFone V Live, which Kryptowire found to leave its owners exposed to an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more.
“Asus is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users,” the company said in a statement. “Asus is committed to users’ security and privacy and we highly encourage all users to update to the latest ZenFone software to ensure a safe and secure user experience.”
At this point, pushing an update is the most Asus can do to clean up the mess it made. But Stavrou questions the efficacy of the patching process. “The user has to accept the patch. So even if they send it to the phone, you might not accept the update,” he says. He notes also that on some of the models Kryptowire tested, the update process itself was broken, a finding backed up by a recent study from German security firm Security Research Labs.
The attacks Kryptowire details do largely require the user to install an app. But while that’s normally a decent limiting factor for potential hacks—stick with the Google Play Store, folks—Stavrou says that what makes these vulnerabilities so pernicious is that those apps don’t need to have special privileges when you install them. An app wouldn’t, in other words, have to trick you into granting access to your text and call logs. It would take it, simply and silently, thanks to the device’s broken firmware.
That scenario could lead to a variety of outcomes, depending on the device. For the ZTE Blade Spark and Blade Vantage, firmware flaws would allow any app to access text messages, call data, and the so-called logcat log, which collects system messages and can include sensitive information like email addresses, GPS coordinates, and more. On the LG G6, the most popular model in the Kryptowire report, vulnerabilities could expose the logcat log, or be used to lock a user out of their device. And an attacker could factory reset an Essential Phone, wiping both its data and cache.
“Once we were made aware of the vulnerability, it was immediately fixed by our team,” says Essential head of communications Shari Doherty.
There’s nothing you can personally do to fix the problem, or realistically even identify it in the first place.
LG appears to have addressed some but not all of the underlying issues. “LG was made aware of the vulnerabilities and has introduced security updates to address these issues. In fact, most of the reported vulnerabilities have already been patched or have been included in upcoming scheduled maintenance updates not related to security risks,” the company said in a statement.
As for ZTE, the company said in a statement that it has “already delivered and/or is working with carriers today to deliver the maintenance releases that fix these identified issues. ZTE will continue to work with technology partners and carrier customers to deliver future and on-going maintenance releases that continue to protect devices for consumers.”
An AT&T spokesperson confirmed that the carrier had “deployed the manufacturer’s software patches to address this issue.” Verizon and Sprint did not respond to requests for comment. T-Mobile deferred to the CTIA, a wireless industry trade association, which in turn declined to comment until it had a chance to review the Kryptowire findings.
The parade of statements shows progress, but also underscores the key issue. These updates can take months to create and test, Stavrou says, and need to pass through the gauntlet from manufacturer to carrier to customer. While you wait, there’s nothing you can do to fix the problem yourself, or realistically even identify it in the first place.
“One thing that is clear is that there is nobody defending the consumer,” Stavrou says. “It’s so deep in the system that the consumer might not be able to tell that it’s there. Or even if they did, they have no recourse other than waiting for the manufacturer, or the carrier, or whoever is updating the firmware to do so.”
Meanwhile, this batch of findings is just the first in a much longer pipeline that Kryptowire will eventually make public. (It hasn’t yet, in order to give companies enough time to respond.)
“We would like to thank the security researchers at Kryptowire for their efforts to reinforce the security of the Android ecosystem. The issues they have outlined do not affect the Android operating system itself, but rather, third party code and applications on devices,” a Google spokesperson said in a statement.
That third-party code and those apps don’t seem likely to disappear any time soon. And as long as they’re there, expect the deeply hidden headaches to continue.