Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Android Devices Are Vulnerable Right Out of the Box (wired.com)

Posted by msmash on from the problem-persists dept.

Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you. From a report: That's the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday. The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn't have to be there. [...] "The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error," Stavrou says. "They're exposing the end user to exploits that the end user is not able to respond to." Security researchers found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.

67 comments

  1. samsung and others can post roms so not carrier by Joe_Dragon · · Score: 1

    samsung and others can post roms so you do not need to wait for the carrier rom to be updated.

    1. Re:samsung and others can post roms so not carrier by drinkypoo · · Score: 1

      samsung and others can post roms so you do not need to wait for the carrier rom to be updated.

      They can, but the deals they make with carriers include locking the bootloader so you can't install those roms. That's why you have to buy unlocked phones. Some carriers will eventually unlock devices for you, for example after spending some particular amount on airtime for non-contract phones, or after some number of months for contract phones. But it's better to have no lock from the beginning, obviously.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:samsung and others can post roms so not carrier by Anonymous Coward · · Score: 0

      It's a non-issue for those of us who use our own firmwares. Maybe more people should educate themselves and start doing the same.

  2. Not surprising by nwaack · · Score: 3

    When a phone comes brand new out-of-the-box with 55% of its space already used it isn't surprising that some of that crapware is causing vulnerabilities!

    1. Re: Not surprising by peragrin · · Score: 4, Insightful

      Not only is it crapware it is uninstallable crapware. Let me uninstall samsung mail , calendar I don't use it anyway.

      Fine lock me into TouchWiz z but let me uninstall apps I don't actually use.
      Bewteen Samsung and att I have 30 unstallable apps

      Apps, not settings, or keyboards that I replaced just apps

      --
      i thought once I was found, but it was only a dream.
    2. Re: Not surprising by Locke2005 · · Score: 1

      Worse, Samsung Pay keeps popping up notifications telling me I can use Samsung Pay at locations it gets from Location Services. Have I ever installed or registered for Samsung pay? Nope! But it's uninstallable and keeps getting updated anyway!

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    3. Re:Not surprising by Anonymous Coward · · Score: 1

      Thanks for playing... I suppose the upside is you mentioned a phone.

    4. Re: Not surprising by Anonymous Coward · · Score: 0

      This has been known for years. And yet you voted with your wallet and OK'ed them doing this. Why would they stop since you keep buying their crapware laden devices?

    5. Re: Not surprising by sjames · · Score: 3, Insightful

      So name the half decent device that isn't loaded with crapware they should have bought instead?

      Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.

    6. Re: Not surprising by Anonymous Coward · · Score: 0

      Pixel 2 and Essential Phone.

    7. Re:Not surprising by Anonymous Coward · · Score: 0

      The solution is competition - and informed buyers.

      Phones (and carrier "solutions") are already reviewed by pro reviewers. Have them shift focus from "megapixels" to "number of crap apps". When the purchasing patterns change, you get:
      * carriers preloading less crap, don't want low scores in reviews
      * manufacturers make phones where carriers can't lock stuff completely - possibly releasing a "manufacturer tool app" that can "uninstall" ROM apps. Samsung don't want to loose just because some carriers crapify their phones.

    8. Re: Not surprising by TheFakeTimCook · · Score: 2

      So name the half decent device that isn't loaded with crapware they should have bought instead?

      Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.

      Easy.

      iPhone.

      And unlike Android, which only lets you HIDE certain Apps (which you can also do with iOS), you can actually DELETE (as in G-O-N-E GONE!) nearly All preloaded Apps (which will also NOT be any "Carrier" Apps; since Apple doesn't allow that horeshit!) :

      https://9to5mac.com/2017/07/17...

    9. Re: Not surprising by MarcAuslander · · Score: 1

      So name the half decent device that isn't loaded with crapware they should have bought instead?

      Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.

      Google phone from Google FI

    10. Re: Not surprising by Anonymous Coward · · Score: 0

      Sine like android 4, you can already put unused apps in a frozen state such that they don't auto run, do not update. Even if you get root to delete the unwanted app, you only freed up space on a read only system partition and gained no extra storage space.

    11. Re: Not surprising by Anonymous Coward · · Score: 0

      Yes, but that's not what was being asked.

    12. Re:Not surprising by Desler · · Score: 1

      "Pro" reviewers these days are more concerned with the size of bezels above anything else.

    13. Re:Not surprising by Anonymous Coward · · Score: 0

      That's because most of the consumer electronics industry competes against Apple and needs people to believe that any device that looks like an iPhone is at least as good as, if not better than, an iPhone. Otherwise Apple wins even bigger... and they're out of a job.

    14. Re: Not surprising by fred6666 · · Score: 0

      Wake me up when you can delete iOS and install Android on it.

    15. Re: Not surprising by drinkypoo · · Score: 1

      Any unlocked Moto phone. So far, anyway. Everything is removable, and you can unlock the bootloader, root, and blow away the OS install if that changes. So far, anyway :D

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    16. Re: Not surprising by sjames · · Score: 1

      But I'm already voting against the walled garden with my wallet.

    17. Re: Not surprising by Anonymous Coward · · Score: 0

      You can die in a fire instead, kthxbai.

    18. Re: Not surprising by Anonymous Coward · · Score: 0

      What a badass.

    19. Re: Not surprising by Anonymous Coward · · Score: 0

      Any device with the android one project. Sure, big brother is still spying on you, but no bloat with promised updates for 2 years. Better than the overpriced pixel range, but essentially that. I've been using the Nokia 7 plus for a few months at half the price of a Google Pixel. No complaints here.

    20. Re: Not surprising by Anonymous Coward · · Score: 0

      I know! I phones are so bad!

    21. Re: Not surprising by TheFakeTimCook · · Score: 1

      Wake me up when you can delete iOS and install Android on it.

      Hardly an "App", now is it?

    22. Re: Not surprising by TheFakeTimCook · · Score: 1

      But I'm already voting against the walled garden with my wallet.

      ...and voting for no user privacy and constant malware.

      Good choice!

    23. Re: Not surprising by fred6666 · · Score: 1

      Of course, but iOS is locked-down. If you value freedom you have to switch.

    24. Re: Not surprising by TheFakeTimCook · · Score: 1

      Of course, but iOS is locked-down. If you value freedom you have to switch.

      I value my freedom. It is YOU that wants to LIMIT my freedom to CHOOSE.

    25. Re: Not surprising by fred6666 · · Score: 1

      I don't. You are indeed free to chose between a locked-down OS and one giving you more freedom.
      Some people don't really want freedom and are perfectly happy in jail as long as their cell is comfortable enough. They call it the "walled garden".

    26. Re: Not surprising by TheFakeTimCook · · Score: 1

      I don't. You are indeed free to chose between a locked-down OS and one giving you more freedom.
      Some people don't really want freedom and are perfectly happy in jail as long as their cell is comfortable enough. They call it the "walled garden".

      But unlike Jail, which almost NOBODY calls "home", people who have chosen iOS by and large do not refer to iOS as "Walled". This is NOT some cyber-variant of "Stockholm Syndrome" by the way; because, unlike the now-famous Stockholm Hostages, NOBODY is PREVENTING iOS Users from "leaving"; so by definition, there can be no Hostage-Kidnapper relationship under which to form Stockholm Syndrome.

    27. Re: Not surprising by fred6666 · · Score: 1

      That's a characteristic of walled gardens. People living in them rarely refer to them as such. Many are not even aware there is a world outside the wall. There is a reason it's a wall and not a fence.

      Some others also think they can leave the garden if they want. Yeah sure. You can leave the garden, and lose all your purchased apps, accessories, iMessage, AppleTV, Apple Watch, Apple Music and other iStuff that will either stop working or lose half of their functionality without your iPhone. So no, you are not leaving the garden any time soon. Let's face it, the first thing you did when entering the garden was to throw the key over the wall.

    28. Re: Not surprising by JabrTheHut · · Score: 1

      You're talking about the freedom in a phone where you can't uninstall the crapware that comes with it? Is that like the freedom to only go where you are told to and say what you are told to?

      --
      Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
    29. Re: Not surprising by fred6666 · · Score: 1

      Honestly I prefer crapware applications than crapware OS. You may not like Samsung's SMS application but at least you can install another one and use it by default. Also there are very good Android phones without crapware (Pixels and few others).

  3. Blah blah blah Security Fatigue by Lije+Baley · · Score: 1, Insightful

    Yes, let's just keep piling on these alarmist, security-as-a-religion articles. It will only hasten the coming of the post-security world.

    --
    Strange things are afoot at the Circle-K.
    1. Re:Blah blah blah Security Fatigue by Anonymous Coward · · Score: 0

      You're having a hard time admitting the truth that Android is easy to hack and not secure.

      I'm sure you're version will come true. Someday.

    2. Re:Blah blah blah Security Fatigue by Anonymous Coward · · Score: 0

      Fuck off and die asshole. We do not worship the ground that Apple walks on. Hell, we don't worship the ground of any manufacturer. Again, fuck off and die fan boi(as in fagot).

    3. Re:Blah blah blah Security Fatigue by TheFakeTimCook · · Score: 1

      Fuck off and die asshole. We do not worship the ground that Apple walks on. Hell, we don't worship the ground of any manufacturer. Again, fuck off and die fan boi(as in fagot).

      Sounds like jealousy to me, eh?

    4. Re:Blah blah blah Security Fatigue by pr0fessor · · Score: 1

      Complaining about security updates for known vulnerabilities that aren't being installed or made available on many android phones is not the same as an alarmist security as a religion rant. It' not just security updates that you're missing out on it's also feature updates and there is no reason that you should need to purchase a new phone to get all the updates.

      If the patch for a vulnerability is out and you didn't install it then don't expect any sympathy when you get exploited...

    5. Re:Blah blah blah Security Fatigue by Anonymous Coward · · Score: 0

      Yes, let's just keep piling on these alarmist, security-as-a-religion articles. It will only hasten the coming of the post-security world.

      Please Jebus yes, let's make installing and maintaining SSL certificates to secure the connections between keyboards and computers a thing, whatever it takes to get us to the point everyone takes a long hard look at how fucking stupid 95% of our security practices are so we can reset the insanity. I absolutely cannot wait.

      We found some SHA23456 mode-5 crypto on your PC, you will be disconnected from the Internet until you resolve your blatant security infractions, mkay?

    6. Re:Blah blah blah Security Fatigue by Lije+Baley · · Score: 1

      As an advanced Slashdot reader, I barely even read the fscking summary. I was just still annoyed from the earlier article about panic hacks.

      --
      Strange things are afoot at the Circle-K.
    7. Re: Blah blah blah Security Fatigue by Anonymous Coward · · Score: 0

      Nope, just tired of your shit lol

      You're promoting a phone that is fully unlockable just by plugging it in to some device.

  4. That's what they get by Seven+Spirals · · Score: 1

    For trying to bastardize Unix. You go to hell for that, too. :-)

    1. Re:That's what they get by Desler · · Score: 1

      The Morris Worm says hi.

    2. Re:That's what they get by Seven+Spirals · · Score: 1

      Hehe, good one. I guess I kinda asked for that. :-)

    3. Re:That's what they get by Seven+Spirals · · Score: 1

      At least you know what the Morris Worm actually was!

  5. Panick! Panick! It's Hack0rz! Panick! panick! by Anonymous Coward · · Score: 1

    Well, no, just shoddy software and stupid excuses.

    Like always.

  6. (Nelson) Ha ha! by Anonymous Coward · · Score: 0, Troll

    How smart is your so-called 'smartphone' now, and how smart are (You), losers? You enjoying being part of that botnet? You enjoying having criminals and hackers and Vladimir Putins' cock up your digital ass? Do yourselves a favor: toss that e-waste of a 'phone' into the e-waste bin and get a nice safe dumbphone, or better yet, get a landline, and stop being cucked by your own technology.

  7. Every Device Is by Luthair · · Score: 1

    In the modern world there is effectively no chance that any device shipped will not ship with a vulnerability. This isn't a statement on software or hardware development merely that given the time it takes to ship goods and that we perpetually find issues across the entire stack of software and hardware having a device land in your hands without a day-0 patch (or perhaps the device will never be patched despite this) is never happen.

    It wouldn't surprise me if carrier crapware is particularly poorly written and maintained however.

    1. Re:Every Device Is by Anonymous Coward · · Score: 0

      Yes, every device ships with (potential) vulnerabilities. The question is whether they are being shipped or left un-patched while exploits exist in the wild.

  8. Millions of Devices Are Vulnerable Right Box by bob4u2c · · Score: 1

    There fixed the headline for you.

  9. Computing Device can be Compromised by Anonymous Coward · · Score: 0

    In other news, water is wet and the sun is hot.
    Film at 11.

  10. Foreign governments? by mi · · Score: 2

    If NSA "customizes" routers meant for foreign customers, why wouldn't Chinese government seek to do something similar? Unlike NSA, they can flat-out order their own companies to do that, while doing something more subtle with the Korean and Taiwanese manufacturers...

    And in the world of spying, if someone can, you can bet that they do...

    --
    In Soviet Washington the swamp drains you.
    1. Re:Foreign governments? by Anonymous Coward · · Score: 0

      If you think NSA can't **order** US companies you're delusional.

  11. Carrier branded phones are a big part of this by guacamole · · Score: 1

    Gosh, the carrier-branded phones are the bane of today's computing. They come pre-loaded with dozens of non-deletable apps on top of what's installed by OEM. Their update cycle is ridiculously slow because the ROM updates must go through the carrier's customizing and testing. Normally, they're bootloader locked. As result, most of those are behind the unlocked OEM phones in security patch levels. Just say no.

  12. Buy apple I guess. by Anonymous Coward · · Score: 0

    What a bizarre world we live in where Apple is the only good option.

    1. Re:Buy apple I guess. by johanw · · Score: 1

      Just buy a non-carrier branded Android.

    2. Re: Buy apple I guess. by Anonymous Coward · · Score: 0

      Right, instead of actually needing to install the payload app as the article suggests, I'll opt for a device that can still be locked but law enforcement can fully access now.

      Yup, both great options!

  13. US carrier branded devices by johanw · · Score: 1

    is the main problem that I see here. This seems a US specific problem, heavy carrier branding and consumers unwilling to buy carrier free devices. In the EU, where most devices don't have any branding, these problems are much less abundent. And on the 2nd hand carrier branded Sony Android device I bought to replace a defective one I could easily flash a neutral firmware.

    Of course, after that I rooted it to remove some of the Sony crapware.

  14. meanwhile, over in Redmond... by Anonymous Coward · · Score: 0

    Microsoft says "Get on our level!" -- Windows has been vulnerable 'out-of-the-box' since its first release.

  15. This is why we need competing app stores! by shess · · Score: 1

    See! Manufacturers and carriers can totally be trusted to bake in their own app stores and browsers!

  16. WIRED is Paywalled by Anonymous Coward · · Score: 0

    Apparently I've clicked on four articles in one month, so I must renounce my freeloading, ad-veiwing ways and pay for yet another subscription to view the source material for this /. post. Alternative source or it never happened.

    1. Re:WIRED is Paywalled by Zontar+The+Mindless · · Score: 1

      Apparently you don't know what cookies are or how to remove them. Thanks for playing!

      --
      Il n'y a pas de Planet B.
  17. No updates by MoarSauce123 · · Score: 1

    What makes matters worse is that phone vendors do not put any effort into updating Android to newer, more secure versions. I think Google needs to take a lead there and just update Android on all devices rather than dump that on the vendors.

  18. Re: this is why iPhones are superior by Anonymous Coward · · Score: 0

    What do you suggest as a proper phone?

    I devices are instantly unlockable by law enforcement at this point. They come out with security vulns every few months.

    Windows phone?