08-13-2018, 11:31 AM
Vulnerabilities Found in the Firmware of 25 Android Smartphone Models
Last week, at the DEF CON security conference held in Las Vegas, security researchers presented details about 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US.
These vulnerabilities, embedded in full in the table at the bottom of this article, range from simple flaws that crash devices to dangerous bugs that grant attackers the ability to get root access on users' devices.
Some of the most dangerous of these vulnerabilities allow an attacker to retrieve or send SMS texts from the user's phone, take screenshots or record videos of the phone's screen, retrieve the user's contacts list, force the installation of third-party arbitrary apps without the user's knowledge or consent, or even wipe the user's data from the device.
Some big OEM brands listed
These vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.
US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).
The smartphone brands (OEMs) included on Kryptowire's list include big names such as ZTE, Sony, Nokia, LG, Asus, and Alcatel, but also smaller companies such as Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee, and Coolpad.
"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.
Some old names on the list
Some of the OEM brands are old acquaintances. For example, ZTE. Leagoo and Doogee have been listed in previous reports about insecure Android device makers. Devices from these two vendors were found on two different occasions [1, 2] to come preinstalled with banking trojans.
Back in November 2016, Kryptowire also discovered a backdoor mechanism in the FOTA (Firmware Over The Air) update software system produced by Chinese firm Adups. That FOTA system was included in the firmware of many Android phone makers, and a year later was found to be still active, despite public disclosure.
Last week, at the DEF CON security conference held in Las Vegas, security researchers presented details about 47 vulnerabilities in the firmware and default apps of 25 Android smartphone models, 11 of which are also sold in the US.
These vulnerabilities, embedded in full in the table at the bottom of this article, range from simple flaws that crash devices to dangerous bugs that grant attackers the ability to get root access on users' devices.
Some of the most dangerous of these vulnerabilities allow an attacker to retrieve or send SMS texts from the user's phone, take screenshots or record videos of the phone's screen, retrieve the user's contacts list, force the installation of third-party arbitrary apps without the user's knowledge or consent, or even wipe the user's data from the device.
Some big OEM brands listed
These vulnerabilities were discovered in both the default apps that come preinstalled on some devices by default (and are sometimes unremovable), but also in the firmware of core device drivers that can't be removed without losing some of the phone's functionality, if not access to the device as a whole.
US mobile and IoT security firm Kryptowire unearthed these vulnerabilities as part of a grant awarded by the Department of Homeland Security (DHS).
The smartphone brands (OEMs) included on Kryptowire's list include big names such as ZTE, Sony, Nokia, LG, Asus, and Alcatel, but also smaller companies such as Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee, and Coolpad.
"With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware," said Angelos Stavrou, CEO of Kryptowire, in a press release also announcing the release of a new enterprise-targeted platform for automatically testing the firmware and apps of Android mobile devices.
Some old names on the list
Some of the OEM brands are old acquaintances. For example, ZTE. Leagoo and Doogee have been listed in previous reports about insecure Android device makers. Devices from these two vendors were found on two different occasions [1, 2] to come preinstalled with banking trojans.
Back in November 2016, Kryptowire also discovered a backdoor mechanism in the FOTA (Firmware Over The Air) update software system produced by Chinese firm Adups. That FOTA system was included in the firmware of many Android phone makers, and a year later was found to be still active, despite public disclosure.
Below are the vulnerabilities discovered by the Kryptowire team, and presented last week at DEF CON.
Source
Code:
https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-the-firmware-of-25-android-smartphone-models/
Anything wrong?!
Doubt about something in the forums?!
Please push Report button or send me a PM!!!
Guidelines
Member Ranks
How to use various forum functionalities
======================================================================================
AiOwares is a community whose existence takes place by itself, not by movements unrelated to it.
======================================================================================
Doubt about something in the forums?!
Please push Report button or send me a PM!!!
Guidelines
Member Ranks
How to use various forum functionalities
======================================================================================
AiOwares is a community whose existence takes place by itself, not by movements unrelated to it.
======================================================================================