00:45 AM
Connect Directly

DARPA-Funded Service Seeks Flaws In Smartphones

The brainchild of start-up Duo Security, the X-Ray service will let users know whether their smartphones have vulnerable systems software

Beset by malware and malicious attackers, developers in the personal-computer world have found ways to reduce the time between the release of a patch and the installation of the fix on vulnerable systems.

Click here for more of Dark Reading's Black Hat articles.

With Android smartphones and tablets, however, long delays between release and installation regularly leave devices open to attack. About two-thirds of all Android smartphones, for example, are using Android version 2.3, code-named "Gingerbread," a major update released more than a year-and-a-half ago, according to the Android developers' dashboard. Since then, two major revisions -- not including the tablet-focused "Honeycomb" -- have been released to add features and fix security issues.

Companies and consumers need a way to get smartphone manufacturers and wireless carriers to fix and deploy security issues faster, says Jon Oberheide, chief technology officer for start-up Duo Security. For businesses, the situation is particularly worrisome because most firm have had to deal with workers bringing a host of mobile devices inside of their corporate firewalls.

"It's not like patches for the vulnerabilities don't exist," Oberheide says. "In many cases, they've been around for six months to a year, but they just have not been rolled out."

On Monday, the start-up planned to help users get a handle on the problem, thanks to some funding from the Defense Advanced Research Projects Agency (DARPA). The company launched a service that aims to notify device owners when their system software contains unpatched flaws. Dubbed X-Ray, the service consists of an Android app to scan the system for known vulnerable systems components, while unknown system files will be sent to Duo's servers for further analysis.

[ Bringing your own device to work sounds peachy to employees, but security, regulatory, and privacy issues still need to be worked out on the monitoring side. See The Mobile Monitoring Mess. ]

Once installed, the X-Ray app will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions still contain eight major privilege escalation flaws that could allow an attacker to compromise an Android smartphone.

The app collects information on the vulnerability, device model, version of the operating system, and carrier information. Duo Security hopes to discover the size of the vulnerable Android population and how long devices in different regions remain vulnerable to known flaws. X-Ray will also be able to discover whether the manufacturers and carriers have reintroduced flaws during regularly scheduled updates.

In the first eight hours, some 15,000 people have tried the application, Oberheide says. "We hope the data can provide a spark to get the attention of carriers," Oberheide says. "We hope that X-Ray will eventually result in better security and awareness for all mobile users."

It's an effort that other security firms see as worthwhile as well. In its own studies, mobile security firm Lookout found that the update process of different carriers varied, as did the time to patch. By making the patching process more transparent to users, it could create incentives for carriers to patch faster.

"Rapid access to security updates is in the best interest of the community as vulnerable devices present an opportunity for bad actors that does not need to exist," Lookout said in a statement sent to Dark Reading.

The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by DARPA to spur innovative security research by funding small companies and individual researchers. As part of the project, the company plans to port the application to other mobile-device platforms.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/2/2012 | 5:51:29 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones
Has anyone done a security review of the X-Ray app itself to see what other personal information this government defense organization is collecting from your smart phones?
User Rank: Ninja
7/24/2012 | 6:45:54 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones

more annoying that getting an update on an application 6 months after its
release. This is a great solution for the lag times in between the carriers
patching and releases. This will definitely have the hackers moving more
swiftly to penetrate your mobile device. It just makes sense that this is picked
dup by major carriers or they develop something very similar, because something
has to be done with the lag time. Also with more a more companies and BYOD
policies they are exposing their business to outside vulnerabilities. Good
Reading I was curious they didnG«÷t mention a price or is it a free application?



Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.