At the Hack in the Box security conference held in Amsterdam, researchers Karsten Nohl and Jakob Lell of Security Research introduced a reverse analysis of the operating system code for hundreds of Android smart phones marketed in the last two years. The actual installation of the security patch for each device was studied. They found the so-called 'patch gate': In some cases some vendors inform users that security patches have been installed on all specific dates, but they have not actually provided this service. , It's just a fake notification, so these devices are very vulnerable to attack by hackers.
'We have found that there is a difference in the number of loopholes between the actual patching and the vendor's claim that the repair has been completed.' said renowned security researcher, SRL founder Nohl. He said that in the worst case, Android handset makers will deliberately tamper with the device last time. Time to fix the vulnerability. 'Some vendors will change the system update date without patching. For marketing reasons, they just set the installation date of the patch to a specific time, just to look safe.'
Selectively ignore
SRL counted every security update of the Android system in 2017 and tested the firmware from more than 1200 smartphones of more than a dozen smartphone manufacturers. These devices are from mainstream Android phone manufacturers such as Google, Samsung, Motorola, and HTC, as well as ZTE. TCL and other emerging manufacturers. They found that in addition to Google's own Pixel and Pixel 2 other models, even the top international manufacturers sometimes lied that they installed a patch update that is not actually released for the product. The second and third line The manufacturer's record is even worse.
Nohl pointed out that this is a more serious behavior than giving up on the consequences of updates, and has become a common phenomenon in the field of smartphones. In fact, no action was taken to tell users to fix the loopholes and create a This kind of 'false' sense of security. Nohl said: 'We found that several vendors did not install some patches, but they changed the date of the last update of the system. This is an intentional deception but not universal.'
Nohl believes that the more common situation is that top manufacturers like Sony or Samsung will miss one or two patch updates because of some accidents. But different models have different situations: For example, Samsung's 2016 Galaxy The J5 model will clearly tell the user which patches have been installed and which ones have not been updated. However, on the 2016 Galaxy J3, Samsung claimed that all patches have been released, but the survey found that 12 keys are still missing. The update.
'Given that this is a hidden model difference, it is almost impossible for users to understand what updates they actually installed,' said Nohl. To address the lack of transparency in the patch update, SRL Labs also released a The update of SnoopSnitch app for Android platform allows users to enter their mobile phone code to check the actual status of the security update at any time.
Different vendors
After evaluating the products of each supplier, SRL Labs produced the following set of charts, which classify the smartphone manufacturers into three categories. The classification is based on the matching degree of their respective numbers of external patches and actual installations in 2017. , Including models that were updated at least once in October 2017 or later. Major Android vendors, including Xiaomi, Nokia, have an average of 1 to 3 patch 'lost', while HTC, Motorola, LG and Huawei have 3 To the 4 patch 'lost', TCL and ZTE ranked last, the number of lost patches exceeded 4. The number of patch updates missed by Google, Sony, Samsung, etc. is less than or equal to 1.
SRL also pointed out that chip vendors are one of the reasons for the lack of patches. For example, models using Samsung chips rarely appear to quietly ignore updates, while devices using MediaTek chips have an average missing patch of 9.7. In some cases , it is likely that because of the use of cheaper chips, the probability of missing patches is higher. There is also a situation where the loopholes appear at the chip level and not at the system level, so handset manufacturers rely on chip vendors to complete further Update. The result is that the cheaper smartphones that source chips from low-end suppliers continue the 'missing patch' problem. 'After our verification, if you choose a cheaper product, then in the Android ecosystem, It will be in a less respected position. 'Nohl said.
After “Connecting” magazine contacted Google, Google appreciated the research of SRL, but responded that some of the devices analyzed by SRL may not be certified by Android, which means they are not limited by Google’s security standards. Said that Android smartphones have security features, even in the absence of patches, security vulnerabilities are also difficult to crack. In some cases, the problem of 'patch loss' occurs because mobile phone manufacturers will only Vulnerable features are simply removed rather than repaired, or some phones do not have this feature in the first place.
Google said it will cooperate with SRL Labs to conduct further in-depth investigations. 'Security updates are one of the many levels of protection for Android devices and users,' said Scott Roberts, head of Android product security, in a statement in Wired magazine. 'System built-in platform Protection systems such as application sandboxes and Google Play Protect security services are equally important. These multi-layered security approaches, coupled with the diversity of the Android ecosystem, have led researchers to conclude that Android devices are remote Development is still full of challenges. '
In response to Google’s conclusion that the vendor has lost patches due to the removal of vulnerable features, Nohl argued that this situation is uncommon and that it is unlikely to occur.
Limited impact of missing patches
Surprisingly, however, Nohl agrees with another of Google's claims: Attacking Android phones with missing patches is actually not an easy task. Even some Android phones that do not have updated patches are more widely available in the system. Under the protection of security measures, malware still has difficulty exploiting vulnerabilities, such as sandboxes that began to appear in Android 4.0 Lollipop, limiting the probability of malicious programs accessing devices.
This means that most hackers using a certain so-called 'vulnerabilities' to gain control of an Android device need to exploit a series of vulnerabilities, not just because a patch is missing and the attack succeeds. Nohl said: 'Even if it's missed Some patches can still rely on the system's other security features to defend against most attacks.
Therefore, Nohl said that Android devices are easier to crack in some simpler ways, such as those that appear in the Google Play store, or apps installed in unofficial app stores. Nohl said: 'Users have installed pirated or malicious software. , it is easier to be a target for hackers.