Security Vulnerabilities in Android Firmware
Researchers have discovered and revealed 146 vulnerabilities in various incarnations of Android smartphone firmware. The vulnerabilities were found by scanning the phones of 29 different Android makers, and each is unique to a particular phone or maker. They were found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable—making them bugs but not security concerns. There is no indication that any of these vulnerabilities were put there on purpose, although it is reasonable to assume that other organizations do this same sort of scanning and use the findings for attack. And since they’re firmware bugs, in many cases there is no ability to patch them.
I see this as yet another demonstration of how hard supply chain security is.
News article.
Anders • November 18, 2019 11:24 AM
“They were found using automatic tools,”
I wonder how many vulnerabilities will be found via
thorough manual testing…
But i understand perfectly that there’s no time for such kind of testing.
But i disagree with our host here that this is supply chain security problem.
I see it as the outcome of the current economy model – capitalism.
You need to ship out the product as fast as possible, faster than your
competitor or you lose the market share. So you actually don’t care
about security at all, it can be fixed with later updates, if any.
So you ship out the half-baked product that is barely usable and
throw there some novel thing that users will love (more megapixels) etc.
Who cares about the security if you can make money anyway?