Leave a comment

Android OEMs Duping Security Patches

Zara Ali - April 13, 2018 - 03:58 PM
Android OEMs Duping Security Patches
A research firm in Germany tested over 1,200 Android handsets and found many of them crediting security patches that were never rolled out.

(CCM) — Researchers working at Security Research Labs (SRL), a security firm based in Germany, has found that Android phone manufacturers have been fooling their customers about security patches. The extensive research carried out by the firm suggests that companies like Google, HTC, Samsung, Sony, Motorola, ZTE, TCL, and others have been skipping select Android security patch updates, even though the devices show them as installed.

SRL based its research on the firmware on 1,200 Android handsets and checked for every patch rolled out in 2017. SRL founder Karsten Nohl has said that it is possible that some manufacturers may have accidentally missed a security patch. However, the fact that Samsung J3 (2016) claimed to have installed every Android patch in 2017, when it missed over 12 security updates, is alarming. These updates even include ones that were considered critical for device safety.

Currently, Google is working with the researchers at SRL to dig deeper into the research findings. SRL researchers Nohl and Jakob Lell will also present their study at the Hack in the Box security conference in Amsterdam today. The research firm has also launched a tool called SnoopSnitch on the Play store to analyze a phone’s firmware for missed or installed security updates.

Image: © Asif Islam - Shutterstock.com
Add comment

Comment

kgbme
Posts
5
Registration date
Saturday April 14, 2018
Status
Member
Last seen
April 14, 2018
-
Yes, thank you very much (so true)! For years and years, Android device manufacturers have been consistently horrible at supplying updates.

This is, also, including critical patches even when something big happens, such as BlueBorne:
https://github.com/ArmisSecurity/blueborne/

So, for example, I had purchased the Lenovo Vibe C2 (K10_a40) and the last (Global, "ROW") ROM for it was (the same as what the phone came with, originally, believe it or not):
Lenovo_K10a40_S224_MT6735_20161118

OTA Update (Over the Air) has only offered:
Lenovo_K10a40_S225_MT6735_20161226

& totally by chance I've been able to find an update:
Lenovo_K10a40_S230_MT6735_20170517

... However, Lenovo does NOT provide an official flash tool, to update the phone software. Their KIES program will only accept whatever update is available as the OTA update, the same as what is built into the phone. As if they're trying to make life difficult for the customer. :/

The extra patch /firmware which I'd been able to find is: "March 5, 2017 Android security patch level", which means that my device will FOREVER stay vulnerable to the Bluetooth exploit as it was discovered on September 12, 2017.

This is confirmed by taking a look at the Lenovo Android Upgrade Matrix @
https://support.lenovo.com/us/en/solutions/ht501098

While we're on the topic, might as well check your device as Wikipedia says: "In 2017, BlueBorne was estimated to potentially affect over 8.2 billion devices worldwide", https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability)
Respond to kgbme