Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/24/2012
12:45 AM
50%
50%

DARPA-Funded Service Seeks Flaws In Smartphones

The brainchild of start-up Duo Security, the X-Ray service will let users know whether their smartphones have vulnerable systems software

Beset by malware and malicious attackers, developers in the personal-computer world have found ways to reduce the time between the release of a patch and the installation of the fix on vulnerable systems.    
Click here for more of Dark Reading's Black Hat articles.

With Android smartphones and tablets, however, long delays between release and installation regularly leave devices open to attack. About two-thirds of all Android smartphones, for example, are using Android version 2.3, code-named "Gingerbread," a major update released more than a year-and-a-half ago, according to the Android developers' dashboard. Since then, two major revisions -- not including the tablet-focused "Honeycomb" -- have been released to add features and fix security issues.

Companies and consumers need a way to get smartphone manufacturers and wireless carriers to fix and deploy security issues faster, says Jon Oberheide, chief technology officer for start-up Duo Security. For businesses, the situation is particularly worrisome because most firm have had to deal with workers bringing a host of mobile devices inside of their corporate firewalls.

"It's not like patches for the vulnerabilities don't exist," Oberheide says. "In many cases, they've been around for six months to a year, but they just have not been rolled out."

On Monday, the start-up planned to help users get a handle on the problem, thanks to some funding from the Defense Advanced Research Projects Agency (DARPA). The company launched a service that aims to notify device owners when their system software contains unpatched flaws. Dubbed X-Ray, the service consists of an Android app to scan the system for known vulnerable systems components, while unknown system files will be sent to Duo's servers for further analysis.

[ Bringing your own device to work sounds peachy to employees, but security, regulatory, and privacy issues still need to be worked out on the monitoring side. See The Mobile Monitoring Mess. ]

Once installed, the X-Ray app will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions still contain eight major privilege escalation flaws that could allow an attacker to compromise an Android smartphone.

The app collects information on the vulnerability, device model, version of the operating system, and carrier information. Duo Security hopes to discover the size of the vulnerable Android population and how long devices in different regions remain vulnerable to known flaws. X-Ray will also be able to discover whether the manufacturers and carriers have reintroduced flaws during regularly scheduled updates.

In the first eight hours, some 15,000 people have tried the application, Oberheide says. "We hope the data can provide a spark to get the attention of carriers," Oberheide says. "We hope that X-Ray will eventually result in better security and awareness for all mobile users."

It's an effort that other security firms see as worthwhile as well. In its own studies, mobile security firm Lookout found that the update process of different carriers varied, as did the time to patch. By making the patching process more transparent to users, it could create incentives for carriers to patch faster.

"Rapid access to security updates is in the best interest of the community as vulnerable devices present an opportunity for bad actors that does not need to exist," Lookout said in a statement sent to Dark Reading.

The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by DARPA to spur innovative security research by funding small companies and individual researchers. As part of the project, the company plans to port the application to other mobile-device platforms.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
non34
50%
50%
non34,
User Rank: Apprentice
8/2/2012 | 5:51:29 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones
Has anyone done a security review of the X-Ray app itself to see what other personal information this government defense organization is collecting from your smart phones?
PJS880
50%
50%
PJS880,
User Rank: Ninja
7/24/2012 | 6:45:54 PM
re: DARPA-Funded Service Seeks Flaws In Smartphones


Nothing
more annoying that getting an update on an application 6 months after its
release. This is a great solution for the lag times in between the carriers
patching and releases. This will definitely have the hackers moving more
swiftly to penetrate your mobile device. It just makes sense that this is picked
dup by major carriers or they develop something very similar, because something
has to be done with the lag time. Also with more a more companies and BYOD
policies they are exposing their business to outside vulnerabilities. Good
Reading I was curious they didnGt mention a price or is it a free application?

Paul
Sprague

InformationWeek
Contributor

News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...