Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Google Security Communications Hardware Technology

Millions of Android Devices Are Vulnerable Right Out of the Box (wired.com) 67

Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you. From a report: That's the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday. The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn't have to be there. [...] "The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error," Stavrou says. "They're exposing the end user to exploits that the end user is not able to respond to." Security researchers found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.
This discussion has been archived. No new comments can be posted.

Millions of Android Devices Are Vulnerable Right Out of the Box

Comments Filter:
  • samsung and others can post roms so you do not need to wait for the carrier rom to be updated.

    • samsung and others can post roms so you do not need to wait for the carrier rom to be updated.

      They can, but the deals they make with carriers include locking the bootloader so you can't install those roms. That's why you have to buy unlocked phones. Some carriers will eventually unlock devices for you, for example after spending some particular amount on airtime for non-contract phones, or after some number of months for contract phones. But it's better to have no lock from the beginning, obviously.

  • by nwaack ( 3482871 ) on Friday August 10, 2018 @03:11PM (#57103894)
    When a phone comes brand new out-of-the-box with 55% of its space already used it isn't surprising that some of that crapware is causing vulnerabilities!
    • Re: Not surprising (Score:5, Insightful)

      by peragrin ( 659227 ) on Friday August 10, 2018 @03:21PM (#57103970)

      Not only is it crapware it is uninstallable crapware. Let me uninstall samsung mail , calendar I don't use it anyway.

      Fine lock me into TouchWiz z but let me uninstall apps I don't actually use.
      Bewteen Samsung and att I have 30 unstallable apps

      Apps, not settings, or keyboards that I replaced just apps

      • Worse, Samsung Pay keeps popping up notifications telling me I can use Samsung Pay at locations it gets from Location Services. Have I ever installed or registered for Samsung pay? Nope! But it's uninstallable and keeps getting updated anyway!
  • Yes, let's just keep piling on these alarmist, security-as-a-religion articles. It will only hasten the coming of the post-security world.

    • Complaining about security updates for known vulnerabilities that aren't being installed or made available on many android phones is not the same as an alarmist security as a religion rant. It' not just security updates that you're missing out on it's also feature updates and there is no reason that you should need to purchase a new phone to get all the updates.

      If the patch for a vulnerability is out and you didn't install it then don't expect any sympathy when you get exploited...

      • As an advanced Slashdot reader, I barely even read the fscking summary. I was just still annoyed from the earlier article about panic hacks.

  • For trying to bastardize Unix. You go to hell for that, too. :-)
  • Well, no, just shoddy software and stupid excuses.

    Like always.

  • In the modern world there is effectively no chance that any device shipped will not ship with a vulnerability. This isn't a statement on software or hardware development merely that given the time it takes to ship goods and that we perpetually find issues across the entire stack of software and hardware having a device land in your hands without a day-0 patch (or perhaps the device will never be patched despite this) is never happen.

    It wouldn't surprise me if carrier crapware is particularly poorly written

  • There fixed the headline for you.

  • If NSA "customizes" routers meant for foreign customers [theguardian.com], why wouldn't Chinese government seek to do something similar? Unlike NSA, they can flat-out order their own companies to do that, while doing something more subtle with the Korean and Taiwanese manufacturers...

    And in the world of spying, if someone can, you can bet that they do...

  • Gosh, the carrier-branded phones are the bane of today's computing. They come pre-loaded with dozens of non-deletable apps on top of what's installed by OEM. Their update cycle is ridiculously slow because the ROM updates must go through the carrier's customizing and testing. Normally, they're bootloader locked. As result, most of those are behind the unlocked OEM phones in security patch levels. Just say no.

  • is the main problem that I see here. This seems a US specific problem, heavy carrier branding and consumers unwilling to buy carrier free devices. In the EU, where most devices don't have any branding, these problems are much less abundent. And on the 2nd hand carrier branded Sony Android device I bought to replace a defective one I could easily flash a neutral firmware.

    Of course, after that I rooted it to remove some of the Sony crapware.

  • See! Manufacturers and carriers can totally be trusted to bake in their own app stores and browsers!

  • What makes matters worse is that phone vendors do not put any effort into updating Android to newer, more secure versions. I think Google needs to take a lead there and just update Android on all devices rather than dump that on the vendors.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...