DARPA-Funded Service Seeks Flaws In Smartphones

The brainchild of start-up Duo Security, the X-Ray service will let users know whether their smartphones have vulnerable systems software
Beset by malware and malicious attackers, developers in the personal-computer world have found ways to reduce the time between the release of a patch and the installation of the fix on vulnerable systems.    
Click here for more of Dark Reading's Black Hat articles.

With Android smartphones and tablets, however, long delays between release and installation regularly leave devices open to attack. About two-thirds of all Android smartphones, for example, are using Android version 2.3, code-named "Gingerbread," a major update released more than a year-and-a-half ago, according to the Android developers' dashboard. Since then, two major revisions -- not including the tablet-focused "Honeycomb" -- have been released to add features and fix security issues.

Companies and consumers need a way to get smartphone manufacturers and wireless carriers to fix and deploy security issues faster, says Jon Oberheide, chief technology officer for start-up Duo Security. For businesses, the situation is particularly worrisome because most firm have had to deal with workers bringing a host of mobile devices inside of their corporate firewalls.

"It's not like patches for the vulnerabilities don't exist," Oberheide says. "In many cases, they've been around for six months to a year, but they just have not been rolled out."

On Monday, the start-up planned to help users get a handle on the problem, thanks to some funding from the Defense Advanced Research Projects Agency (DARPA). The company launched a service that aims to notify device owners when their system software contains unpatched flaws. Dubbed X-Ray, the service consists of an Android app to scan the system for known vulnerable systems components, while unknown system files will be sent to Duo's servers for further analysis.

[ Bringing your own device to work sounds peachy to employees, but security, regulatory, and privacy issues still need to be worked out on the monitoring side. See The Mobile Monitoring Mess. ]

Once installed, the X-Ray app will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions still contain eight major privilege escalation flaws that could allow an attacker to compromise an Android smartphone.

The app collects information on the vulnerability, device model, version of the operating system, and carrier information. Duo Security hopes to discover the size of the vulnerable Android population and how long devices in different regions remain vulnerable to known flaws. X-Ray will also be able to discover whether the manufacturers and carriers have reintroduced flaws during regularly scheduled updates.

In the first eight hours, some 15,000 people have tried the application, Oberheide says. "We hope the data can provide a spark to get the attention of carriers," Oberheide says. "We hope that X-Ray will eventually result in better security and awareness for all mobile users."

It's an effort that other security firms see as worthwhile as well. In its own studies, mobile security firm Lookout found that the update process of different carriers varied, as did the time to patch. By making the patching process more transparent to users, it could create incentives for carriers to patch faster.

"Rapid access to security updates is in the best interest of the community as vulnerable devices present an opportunity for bad actors that does not need to exist," Lookout said in a statement sent to Dark Reading.

The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by DARPA to spur innovative security research by funding small companies and individual researchers. As part of the project, the company plans to port the application to other mobile-device platforms.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.