Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Android Devices Are Vulnerable Right Out of the Box (wired.com)

Posted by msmash on from the problem-persists dept.

Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you. From a report: That's the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday. The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn't have to be there. [...] "The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error," Stavrou says. "They're exposing the end user to exploits that the end user is not able to respond to." Security researchers found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.

5 of 67 comments (clear)

  1. Not surprising by nwaack · · Score: 3

    When a phone comes brand new out-of-the-box with 55% of its space already used it isn't surprising that some of that crapware is causing vulnerabilities!

    1. Re: Not surprising by peragrin · · Score: 4, Insightful

      Not only is it crapware it is uninstallable crapware. Let me uninstall samsung mail , calendar I don't use it anyway.

      Fine lock me into TouchWiz z but let me uninstall apps I don't actually use.
      Bewteen Samsung and att I have 30 unstallable apps

      Apps, not settings, or keyboards that I replaced just apps

      --
      i thought once I was found, but it was only a dream.
    2. Re: Not surprising by sjames · · Score: 3, Insightful

      So name the half decent device that isn't loaded with crapware they should have bought instead?

      Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.

    3. Re: Not surprising by TheFakeTimCook · · Score: 2

      So name the half decent device that isn't loaded with crapware they should have bought instead?

      Too often voting with your wallet is like voting in the old Soviet Union, you can choose any member of the Communist party you want.

      Easy.

      iPhone.

      And unlike Android, which only lets you HIDE certain Apps (which you can also do with iOS), you can actually DELETE (as in G-O-N-E GONE!) nearly All preloaded Apps (which will also NOT be any "Carrier" Apps; since Apple doesn't allow that horeshit!) :

      https://9to5mac.com/2017/07/17...

  2. Foreign governments? by mi · · Score: 2

    If NSA "customizes" routers meant for foreign customers, why wouldn't Chinese government seek to do something similar? Unlike NSA, they can flat-out order their own companies to do that, while doing something more subtle with the Korean and Taiwanese manufacturers...

    And in the world of spying, if someone can, you can bet that they do...

    --
    In Soviet Washington the swamp drains you.