Security Vulnerabilities in Android Firmware

Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable -- making them bugs but not security concerns. There is no indication that any of these vulnerabilities were put there on purpose, although it is reasonable to assume that other organizations do this same sort of scanning and use the findings for attack. And since they're firmware bugs, in many cases there is no ability to patch them.

I see this as yet another demonstration of how hard supply chain security is.

News article.

Posted on November 18, 2019 at 6:33 AM • 17 Comments

Comments

AndersNovember 18, 2019 11:24 AM

"They were found using automatic tools,"

I wonder how many vulnerabilities will be found via
thorough manual testing...

But i understand perfectly that there's no time for such kind of testing.
But i disagree with our host here that this is supply chain security problem.
I see it as the outcome of the current economy model - capitalism.
You need to ship out the product as fast as possible, faster than your
competitor or you lose the market share. So you actually don't care
about security at all, it can be fixed with later updates, if any.
So you ship out the half-baked product that is barely usable and
throw there some novel thing that users will love (more megapixels) etc.
Who cares about the security if you can make money anyway?

StarousczNovember 18, 2019 2:50 PM

No this is not a problem of capitalism but about lack of regulation. Regulation to get safety and security is common in all other areas. If you cannot sell devices with horrorshow known bugs, then security will improve. It used to be a case cars did not need to have any safety included and "market" did not solved the lack of it - regulation did.

No witty nickel November 18, 2019 7:18 PM

You get corruption, incompetence and all other factors detracting from product quality in any economy model.

Resources are limited and rebuilding taught best practices to create less-flawed products is not a pressing concern, certainly less of one than pandering to people in power.
True everywhere and throughout history.

Pushing for legislation to change requires actual pressure exceeding lobbying efforts. Again true everywhere.

I'd personally settle for mandatory fully working source to be released immediately matching rolled out production code to enable patching by third parties.

That diesn't happen and we're stuck with oerfectly fine hardware crippled by its shipped software.

Petre Peter November 18, 2019 7:20 PM

They are not considered physically capable devices yet. It seems like we'll have to wait until they can do damage to life or property to see some security changes.

qNovember 19, 2019 3:57 AM

Automated scanners can produce a ton of false positives. Were these results verified manually?

Clive RobinsonNovember 19, 2019 8:31 AM

@ All,

There are a couple of thoughts that occure with this. Firstly there are four areas/classes of concern (not two)

1, Android core as released by Google to manufacturers.

2, IO drivers etc efectively unique to each phone design.

3, Non-removable manufacturer installed Applications.

4, Semi-removable user installed applications.

However overall no matter what the class of cause it is clear that "Smart Devices" built around Android are not in general fit to be used for even the lowest of classified security environments (sensitive[1]). Or for that matter many if not most commercial environments[2].

But questions should be asked about where the primary problem lies. Obviously what is supplied by Google (1) is in effect the core of Android and has interfaces with the other three areas (2,3,4). Whilst the core(1) may not have vulnerabilities or bugs, the question of the complexity of it's interfaces arises. That is interfaces can be "well found" and "minimal" thus making secure interfacing low defect probability, almost always the opposite happens and a "kitchen sink" mentality takes over and with it unneeded and unwarranted complexity rapidly builds and with it the exponentially increasing probability that vulnerabilities or bugs will occure.

This is a fairly well known issue thus one has to ask initially about the necessity of such complexity. This then in the "thinking hinky" security mindset becomes the implicit question of "What are they hidding behind it?". With the third question being "by accident or design?". Which almost automatically gives rise to the "3W question" of "Who?, What?, and Why?". Both of which occured with Cisco snd Juniper core networking products and security. Which in part gave rise to the Chinese Government passing legislation banning the use of their and other US corporate products from key economic areas such as banking etc. The tit-for-tat behaviour of the current US administration has had an odd effect in that it in effects bans the use of Android in Chinese products, thus forcing the largest smart device manufacturer to come up with a new core. Whilst a geo-political analysis would be off topic, that relating to security is not.

We might actually see the begining of a new tit-for-tat pissing contest. That is the US gov entities rip appart the Chinese core looking for vulnerabilities, whilst the Chinese reciprocate aginst the US Google core. Each selectively chosing to publish vulnerabilities to discredit the other. Thus potentially causing a series of "malware attacks", which in many respects would be more advantageous to the Chinese[3] than the US or other Western first world nations.

What ever happens it's odds on favourite that invasive surveillance on end users will rise almost exponentially over the next few years. And will happen one way or another, "with or without" legislation and that Governments will save considerable money by "proxies through corporates" one way or another (such as Amazon Ring).

[1] Document Classification is multi-level and most nations have their own variations especially at the lower unclasified / sensitive / confidential / protected / etc levels. But even at the higher levels of Secret and Top Secret nations differ on what each actually means. Many current national models are seen as "three layer" these days, however there is an implicit fourth layer of what might be called "not classified". This has come about by the use of classified registration in a database and that all documents should have value as they are paid for via the Tax Take thus must have justifiable value, with the potential of commoditization. Thus the document producer has to first take a "comercial value judgment" as to if any new or derived "work" should go in the registered database, then consider other issues related to security as to which of the three other layers it should be classified at. Implicit as part of this is that government workers should never produce "works" that are "not of commercial value"... Which kind of gets interesting when you get down to "information leaflets" like those telling people over 60 to get a free flu jab etc...

[2] All employers should carefully consider the pay offs of "Bring Your Own Devices" (BYOD) or even "issued devices" used for "Distributed / no office / on the road / from home" employee working models and similar "loose/no security perimiter" working practices against the cost of lost information both financially and reputationally especially in "duty of care/confidentiality" environments.

[3] One significant reason for this is the "Great Firewall of China" it alows them to ring fence their jurisdictional section of the Internet thus limiting any exfiltrating malware etc. As Russia has passed legislation and will be running tests on a similar idea, it can be said that the Balkanisation of the Internet has started and the days of "All roads lead to Rome" will end for the UKUSA Five-Eye IC and LEO organisations. Thus the significant advantage for illegal spying that they have enjoyed at the communications geographical nodes will shortly be lost to them. Which brings up the question of Alphabet / Googles plans for sub sea cables, satellite and even drone balloon comms nodes and transport. They obviously see an advantage that Teleco's don't see in doing this... Which broadly suggests that Google have a different business model. As their traditional business model is "theft of PII" it's probably safe to assume Googles model involves heavy surveillance one way or another.

naschNovember 19, 2019 9:04 AM

"I see it as the outcome of the current economy model - capitalism."

And what do you suppose would happen if the government were the only one making phones? We would have lots of great options, all of which have wonderful features and robust security at a good price? Sure. More likely there would be at most three different kinds of phone, and they would be 5-10 years behind where we are now in technology, with comparable or worse security and higher prices. Starouscz is correct that regulation is the answer, not removing private ownership of production. There are problems that the market does not solve, but that doesn't mean you abolish the market.

AndersNovember 19, 2019 10:11 AM

@nasch

Both you and Starouscz are wrong - regulators can't help here.
The only option here is that users should start voting with their
feet. Too many users just don't care about the security and are
more than happy just with new UI, megapixels, faster CPU, faster
GPU, more RAM, larger SD card support etc. Most users just don't
care about security and buy the flawed product anyway just for
those aforementioned "eye candies". And capitalism exploits this,
exploits those users.

No regulators help here because security is too fuzzy and hard to
test. How you test against the unknown 0day? Tell me one, really
_ONE_ product, that is really, REALLY secure, because of those
regulators? Anyone?

Users hold the key here. Educate them. Bring examples. Vote with
feet. FORCE the companies to chance their attitude regarding the
secure products.


zedNovember 19, 2019 11:18 AM

Related article: https://www.kryptowire.com/android-firmware-2019/

One common thread to all of this is that it appears that nearly all the devices in question are cut-rate phones that are typically used with pre-paid subscriptions, and second-echelon providers who lease space on one of the Big 4 networks. Because the devices are cheap, there's every incentive to generate as much revenue from initial sales, because after purchase, they may generate zero additional revenue to either the manufacturer or the carrier. Thus, these are devices that will never see any software updates, whether Android (and pushed out through the carrier) or third-party software that's pre-installed. That's just the nature of cheap phones. And for the most part, the people who buy them don't really care about the security, at least not enough to pay more for devices that will get better support.

Noteworthy is that the list of manufacturers is mostly no-name vendors, with the exception of Samsung and maybe ASUS (with a lot of models), and Panasonic and Sony (with a few models). The problem is that the name "Samsung" is so well-known, that it's easy to equate that with "quality", even though Samsung has a lot of lines, with varying quality. A Samsung Galaxy J model is not a Samsung Galaxy S, even though the names are nearly identical.

WaelNovember 19, 2019 12:54 PM

@Clive Robinson, all;

there are four areas/classes of concern (not two)

There're at least nine! I don't want to keep posting the old link from 2012.

AndersNovember 19, 2019 2:35 PM

I throw here along another example of "nice" capitalism

www.os2museum.com/wp/the-sad-end-of-intel-desktop-boards/

This is also in par what @SpaceLifeForm said - disappearing
Intel BIOS downloads.

Jaywalker 007November 19, 2019 5:08 PM

found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable

These are comparable to compiler warnings that may highlight potentially unsafe programming practices, but the reported issues are likely not all bugs or programming errors in and of themselves: "unexploitable" issues that may nonetheless merit extra attention at code review or refactoring time.

Mitigation: Utilizing Kryptowire's automated firmware scanning tools we are able to provide up to date detection of these vulnerabilities as new firmware and devices are introduced into your organization. To request more information about our firmware scanning service please click the link below [omitted]

Plugging a proprietary tool. Smells of "snake oil" of which Bruce is famous for complaining.

What about the main alternatives (to Android) offered by the cell phone cartel, namely Apple iOS / iPhone, Microsoft Mobile / Nokia, and BlackBerryOS?

And furthermore, what about the issue of free and open source software versus all the FCC and CFR regulations that prohibit open source operating systems and require all cell phones and portable computing devices to run proprietary software only?

Otherwise even those of us who are experts are limited to standing with our hands in our back pockets in the store aisle choosing and assessing shelf product for its general security reputation.

RealFakeNewsNovember 20, 2019 1:20 AM

If these were found with automated tools, what about the problems that weren't found?

Who said they weren't exploitable? Famous last words?

-November 20, 2019 8:24 AM

@ Moderator,

Thr above from "paul thomas" is unsolicited advertising.

From some AV company.

Alain DeckersNovember 21, 2019 6:25 AM

@Anders

You're the one who us wrong not @nasch or @Starouscz. First of all, no product is 100% secure/safe nor should that be the objective (airplanes rarely fail but they still do sometimes). And regulation can set incentives to achieve appropriate levels of safety, eg via liability regime.

AndersNovember 21, 2019 3:58 PM

@Alain Deckers

I'm very happy to be wrong if someone and history proves so,
because what I've learn in infosec - everything is in constant
changing and what was golden rule yesterday is often obsolete today.

Difference with consumer cellphones and airplanes (though latter
also uses computer and software)is that vulnerability in Android
doesn't cause death. Also, govt is very interested in weakening
crypto / setting up backdoors / having vulnerabilities in software
so that they can access the devices in case of police investigation,
national security matter etc. Do yo know how eagerly govt buys O day's
from brokers?

If they "regulate" this, they "regulate" this only for a view. Users
will have an illusion, that they are using secure product while in
reality they aint.

I really suggest you to read this.

i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.