News

Android Patches Can Skip a Beat

Researchers have found that some Android devices are skipping patches and lying about it.

When a device isn't patched to the most current OS level, it tends to be bad from a security viewpoint. When the device lies to you about it, claiming up-to-date software while remaining unpatched, it's much, much worse. "Much worse" is the state many Android owners find themselves in, according to two years of research by Karsten Nohl and Jakob Lell of Security Research Labs (SRL).

Nohl and Lell found that Android patching practices are a crazy quilt of practices ranging from fully up to date to woefully behind patch versions to, in the worst cases, woefully behind while telling the users that they are up to date. The problem for users is that there's no one good way to tell the camp in which a device resides.

According to an article in Wired, SRL tested the firmware of 1,200 phones, from more than a dozen phone manufacturers, for every Android patch released in 2017. They found that a single vendor — Google — provided every patch for every device. All the other vendors, from a list that ranged from Samsung and Motorola to ZTE and TCL, missed at least some of the available patches. Worse, a smattering of devices from each of these vendors failed to install patches even though they told the user that software had been updated.

Now, there can be legitimate reasons for a user, whether individual or company, to skip a patch or delay its rollout. Patches may break individual corporate apps, change device or app behavior, or cause massive device slowdowns. The point is that the choice of whether to install a given patch or update rightly rests with the user, not the vendor.

There can also be legitimate reasons for a vendor to skip a patch or update. Android exists as an ecosystem existing on a staggering number of different hardware platforms, each of which must reach its own separate accord with changes to the operating system. If a vendor finds that a particular patch is incompatible with its hardware, then it can sit out a round and make up any security issues in later versions.

When a vendor chooses not to provide an update but revises the software date to make it appear that a patch has happened, it becomes much harder to justify the vendor's behavior. The false sense of security the revised OS date provides is especially pernicious at a time of malware that can literally destroy a device.

There are techniques by which a user can manually check for applied updates, but such techniques require methods that many users will not be comfortable using and most enterprise IT shops will find onerous. And there's no great way to know whether a particular device will be affected by any given patch that might be missed.

In the Wired article, Nohl touts defense in depth as the only realistic protection against the sort of vulnerabilities that may be created by a spoofed update. Defense in depth is a presumption for most corporate IT security schemes. It may well be that paranoia should be added to the toolbox if Android devices are in the pockets of corporate employees.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20165
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVE-2019-1716
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
CVE-2019-1763
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...
CVE-2019-1764
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the ...
CVE-2019-1765
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to write arbitrary files to the filesystem. The vulnerability is due to insufficient input validation and file-level permis...