News

Android Patches Can Skip a Beat

Researchers have found that some Android devices are skipping patches and lying about it.

When a device isn't patched to the most current OS level, it tends to be bad from a security viewpoint. When the device lies to you about it, claiming up-to-date software while remaining unpatched, it's much, much worse. "Much worse" is the state many Android owners find themselves in, according to two years of research by Karsten Nohl and Jakob Lell of Security Research Labs (SRL).

Nohl and Lell found that Android patching practices are a crazy quilt of practices ranging from fully up to date to woefully behind patch versions to, in the worst cases, woefully behind while telling the users that they are up to date. The problem for users is that there's no one good way to tell the camp in which a device resides.

According to an article in Wired, SRL tested the firmware of 1,200 phones, from more than a dozen phone manufacturers, for every Android patch released in 2017. They found that a single vendor — Google — provided every patch for every device. All the other vendors, from a list that ranged from Samsung and Motorola to ZTE and TCL, missed at least some of the available patches. Worse, a smattering of devices from each of these vendors failed to install patches even though they told the user that software had been updated.

Now, there can be legitimate reasons for a user, whether individual or company, to skip a patch or delay its rollout. Patches may break individual corporate apps, change device or app behavior, or cause massive device slowdowns. The point is that the choice of whether to install a given patch or update rightly rests with the user, not the vendor.

There can also be legitimate reasons for a vendor to skip a patch or update. Android exists as an ecosystem existing on a staggering number of different hardware platforms, each of which must reach its own separate accord with changes to the operating system. If a vendor finds that a particular patch is incompatible with its hardware, then it can sit out a round and make up any security issues in later versions.

When a vendor chooses not to provide an update but revises the software date to make it appear that a patch has happened, it becomes much harder to justify the vendor's behavior. The false sense of security the revised OS date provides is especially pernicious at a time of malware that can literally destroy a device.

There are techniques by which a user can manually check for applied updates, but such techniques require methods that many users will not be comfortable using and most enterprise IT shops will find onerous. And there's no great way to know whether a particular device will be affected by any given patch that might be missed.

In the Wired article, Nohl touts defense in depth as the only realistic protection against the sort of vulnerabilities that may be created by a spoofed update. Defense in depth is a presumption for most corporate IT security schemes. It may well be that paranoia should be added to the toolbox if Android devices are in the pockets of corporate employees.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.