Privacy and security should be a big concern right now, especially when you consider the fact that many parts of our lives are stored digitally. We communicate, take pictures, exchange sensitive information, and transact on our phones and other internet-enabled devices. Keeping these devices secure is of paramount importance.
Unfortunately, a recent finding by mobile security firm Kryptowire revealed that millions of Android devices are vulnerable right out of the box. The fragmented nature of this mobile operating system means that there are a variety of bugs and security holes waiting to be exploited at any time.
Vulnerable Right Out of the Box
According to Kryptowire, during the firm’s Black Hat security conference presentation, the bugs found in several devices sold by US carriers are dangerous and can be exploited in different ways.
Stavrou and Kryptowire’s director of research Ryan Johnson further explained how the faults they found in 10 smartphones of many US customers can be exploited. In one instance, the vulnerability allowed attackers to lock users out of their phones. In another, attackers could gain access to the devices’ microphone and other features.
These are troubling discoveries in today’s era of information. When you consider the amount of data we store on our phones, the risk of having this information stolen is simply unacceptable.
The Root of All Problems
Android is primarily marketed as a flexible mobile operating system that can be customized to suit the needs of OEMs (phone manufacturers) and carriers.
This leads to fragmentation. Android can be very different on different phones, despite each variation stemming from the same source material. The custom UIs and extra codes added by phone manufacturers and carriers can create unique bugs.
The same fragmentation problem and the many variations of Android also cause security patches to be difficult to distribute. Phones that use Vanilla or stock Android receive security patches frequently. Android One devices, for example, get monthly security updates. OEM devices, however, don’t.
Manufacturers and carriers must implement the same modifications they added to the original operating system used in each device, but the process takes longer to complete. Some manufacturers even skip specific security updates due to the lack of resources and the frequency of updates.
A Serious Issue
“They’re exposing the end user to exploits that the end user is not able to respond to,” according to Stavrou. In many ways, users are left with few – if any – options when it comes to protecting their devices.
The research funded by The Department of Homeland Security and carried out by Kryptowire aimed to get precise information about the issue as a whole. The study reviewed phones from Asus, LG, ZTE, and other manufacturers. The discoveries are nothing short of mind-blowing.
The Asus ZenFone V Live is a particularly interesting example. The device, out of the box, is vulnerable to whole-system takeovers. Yes, attackers can access any of the phone’s capabilities by exploiting a bug built into the original firmware. Asus released a statement on the security issues found in their devices and is working hard to resolve them.
ZTE is an interesting one, too. DHS and other intelligence agencies have even released warnings against using ZTE devices, especially if you are a government employee. While there hasn’t been any actual evidence to support that warning, the DHS is firm on its stance that ZTE devices are a security threat out of the box.
OEMs and Carriers Are Responding
Despite the bleak outlook of Android device security, serious steps are being taken to improve the situation. Many of the OEMs detailed in the findings are working around the clock to fix bugs in their variation of Android.
Essential, for example, released updates to remedy a bug that allows attackers to do a complete reset of the Essential Phone. LG is working on updates to patch the holes, especially for LG G6 and newer models.
AT&T is among the first carriers to seriously push for an update. Both Sprint and Verizon released no statement yet, but signs are pointing to more updates being pushed to users soon.
Taking action yourself
If you are an Android user, getting rid of your phone is not an option. You can lower the risk of getting your device tapped by taking steps to improve the overall security of your device. It’s self-evident, yet users tend to overlook the importance of antivirus software. Along with a reliable antivirus tool, you might want to install a VPN client (click to download) as it provides an extra layer of security by encryption your connection. Furthermore, be sure to enable automatic updates and other native security features of your device for maximum security.