News

Android Patches Can Skip a Beat

Researchers have found that some Android devices are skipping patches and lying about it.

When a device isn't patched to the most current OS level, it tends to be bad from a security viewpoint. When the device lies to you about it, claiming up-to-date software while remaining unpatched, it's much, much worse. "Much worse" is the state many Android owners find themselves in, according to two years of research by Karsten Nohl and Jakob Lell of Security Research Labs (SRL).

Nohl and Lell found that Android patching practices are a crazy quilt of practices ranging from fully up to date to woefully behind patch versions to, in the worst cases, woefully behind while telling the users that they are up to date. The problem for users is that there's no one good way to tell the camp in which a device resides.

According to an article in Wired, SRL tested the firmware of 1,200 phones, from more than a dozen phone manufacturers, for every Android patch released in 2017. They found that a single vendor — Google — provided every patch for every device. All the other vendors, from a list that ranged from Samsung and Motorola to ZTE and TCL, missed at least some of the available patches. Worse, a smattering of devices from each of these vendors failed to install patches even though they told the user that software had been updated.

Now, there can be legitimate reasons for a user, whether individual or company, to skip a patch or delay its rollout. Patches may break individual corporate apps, change device or app behavior, or cause massive device slowdowns. The point is that the choice of whether to install a given patch or update rightly rests with the user, not the vendor.

There can also be legitimate reasons for a vendor to skip a patch or update. Android exists as an ecosystem existing on a staggering number of different hardware platforms, each of which must reach its own separate accord with changes to the operating system. If a vendor finds that a particular patch is incompatible with its hardware, then it can sit out a round and make up any security issues in later versions.

When a vendor chooses not to provide an update but revises the software date to make it appear that a patch has happened, it becomes much harder to justify the vendor's behavior. The false sense of security the revised OS date provides is especially pernicious at a time of malware that can literally destroy a device.

There are techniques by which a user can manually check for applied updates, but such techniques require methods that many users will not be comfortable using and most enterprise IT shops will find onerous. And there's no great way to know whether a particular device will be affected by any given patch that might be missed.

In the Wired article, Nohl touts defense in depth as the only realistic protection against the sort of vulnerabilities that may be created by a spoofed update. Defense in depth is a presumption for most corporate IT security schemes. It may well be that paranoia should be added to the toolbox if Android devices are in the pockets of corporate employees.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...