Risk
7/24/2012
00:45 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

DARPA-Funded Service Seeks Flaws In Smartphones

The brainchild of start-up Duo Security, the X-Ray service will let users know whether their smartphones have vulnerable systems software

Beset by malware and malicious attackers, developers in the personal-computer world have found ways to reduce the time between the release of a patch and the installation of the fix on vulnerable systems.

   
Click here for more of Dark Reading's Black Hat articles.

With Android smartphones and tablets, however, long delays between release and installation regularly leave devices open to attack. About two-thirds of all Android smartphones, for example, are using Android version 2.3, code-named "Gingerbread," a major update released more than a year-and-a-half ago, according to the Android developers' dashboard. Since then, two major revisions -- not including the tablet-focused "Honeycomb" -- have been released to add features and fix security issues.

Companies and consumers need a way to get smartphone manufacturers and wireless carriers to fix and deploy security issues faster, says Jon Oberheide, chief technology officer for start-up Duo Security. For businesses, the situation is particularly worrisome because most firm have had to deal with workers bringing a host of mobile devices inside of their corporate firewalls.

"It's not like patches for the vulnerabilities don't exist," Oberheide says. "In many cases, they've been around for six months to a year, but they just have not been rolled out."

On Monday, the start-up planned to help users get a handle on the problem, thanks to some funding from the Defense Advanced Research Projects Agency (DARPA). The company launched a service that aims to notify device owners when their system software contains unpatched flaws. Dubbed X-Ray, the service consists of an Android app to scan the system for known vulnerable systems components, while unknown system files will be sent to Duo's servers for further analysis.

[ Bringing your own device to work sounds peachy to employees, but security, regulatory, and privacy issues still need to be worked out on the monitoring side. See The Mobile Monitoring Mess. ]

Once installed, the X-Ray app will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions still contain eight major privilege escalation flaws that could allow an attacker to compromise an Android smartphone.

The app collects information on the vulnerability, device model, version of the operating system, and carrier information. Duo Security hopes to discover the size of the vulnerable Android population and how long devices in different regions remain vulnerable to known flaws. X-Ray will also be able to discover whether the manufacturers and carriers have reintroduced flaws during regularly scheduled updates.

In the first eight hours, some 15,000 people have tried the application, Oberheide says. "We hope the data can provide a spark to get the attention of carriers," Oberheide says. "We hope that X-Ray will eventually result in better security and awareness for all mobile users."

It's an effort that other security firms see as worthwhile as well. In its own studies, mobile security firm Lookout found that the update process of different carriers varied, as did the time to patch. By making the patching process more transparent to users, it could create incentives for carriers to patch faster.

"Rapid access to security updates is in the best interest of the community as vulnerable devices present an opportunity for bad actors that does not need to exist," Lookout said in a statement sent to Dark Reading.

The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by DARPA to spur innovative security research by funding small companies and individual researchers. As part of the project, the company plans to port the application to other mobile-device platforms.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
non34
50%
50%
non34,
User Rank: Apprentice
8/2/2012 | 5:51:29 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones
Has anyone done a security review of the X-Ray app itself to see what other personal information this government defense organization is collecting from your smart phones?
PJS880
50%
50%
PJS880,
User Rank: Apprentice
7/24/2012 | 6:45:54 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones


Nothing
more annoying that getting an update on an application 6 months after its
release. This is a great solution for the lag times in between the carriers
patching and releases. This will definitely have the hackers moving more
swiftly to penetrate your mobile device. It just makes sense that this is picked
dup by major carriers or they develop something very similar, because something
has to be done with the lag time. Also with more a more companies and BYOD
policies they are exposing their business to outside vulnerabilities. Good
Reading I was curious they didnG«÷t mention a price or is it a free application?

Paul
Sprague

InformationWeek
Contributor

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web