'These guys just change the date, they have no patches at all.'
Google has been working hard to get dozens of Android smartphone manufacturers and hundreds of operators to push security updates regularly, but a German security company discovered an order after investigating hundreds of Android phones. Unsettled new issues: Many Android phone manufacturers not only failed to provide users with patches, or delayed them for months; they sometimes even told users that the phone firmware was already up-to-date, but secretly skipped the patch.
At the Hack at the Box hacker security conference held in Amsterdam on Friday, researchers looked at hundreds of Android mobile phone system codes in the past two years. Most of them have security risks. The lack of a patch of mobile phones is not uncommon. Personnel Nohl said: 'Although the patch is small, it is very important for mobile security. In the worst case, Android handset manufacturers deliberately distort the facts on the device. These guys just changed the update date when pushing, and there is no patch at all.'
The safety agency SRL tested 1,200 mobile phones, including Google itself, and major Android phone manufacturers such as Samsung, Motorola and HTC, as well as Chinese companies such as ZTE, TCL, etc. They found that in addition to Google’s own flagships such as Pixel and Pixel 2. The machine, even the top mobile phone manufacturers in the security patch is quite confused, and the update records of other second and third-tier manufacturers are even more confusing. Researcher Nohl said that this pretend to have installed the patch is the most terrible problem, they told the user there, Actually it did not, thus creating a false sense of security. This is intentional deception.
Big companies do not patch aggressively
In a more common situation, big companies like Sony or Samsung will also miss one or two patches. Many important updates do not exist, such as Samsung's 2016 mobile phone J5 or J3. They are very frank in telling users which patches have been installed. However, many important updates are missing and there are no hints. It is almost impossible for users to know which patches are actually installed. In order to solve this problem, SRL Labs has released an Android application called 'SnoopSnitch' which allows the user to view the code of the mobile phone to understand The actual status of its security update.
After testing the stack of mobile phones, SRL Labs produced the following chart. According to the patching situation after October 2017, the vendors were graded. The best scenario was missing 0-1 patches. Google, Sony, Samsung, and the unknown Chinese manufacturer Wiko; Xiaomi, Jiajia, Nokia lost 1-3 patches on average; HTC, Huawei, LG and Motorola lost 3-4 patches; TCL and ZTE More than four security patches were the worst performers on the list - they claimed to have been installed, but not.
Low-end chip triggers a vicious cycle
In other cases, there are loopholes in the mobile phone chip, not in the operating system. If you classify the chip you are using, Samsung's processor is better, and Qualcomm's chip is also okay, but use MediaTek. ) The chip's cell phone missed an average of 9.7 patches.
This situation is related to mobile phone pricing. Low-cost mobile phones generally use cheap chips (such as MediaTek, for example), and do not pay much attention to security. Mobile phone makers do not pay attention, relying on chip vendors to provide patches. The result is the adoption of Low-end chips for low-cost handsets will inherit the chip maker's lack of attention to security. Ultimately, if you choose cheaper handsets, you will enter a vicious spiral of safety that is not well maintained in this ecosystem.
Google: Security is more than just patching
When Wired magazine contacted Google on this matter, the company responded that some of the phones analyzed by SRL may not be Android-certified devices, which means that they are not controlled by Google's security standards.
In addition, Google pointed out that even if there are unpatched security holes in Android phones, it is very difficult to crack them. They believe that in some cases, the device may miss some patches, because mobile phone manufacturers simply block out from the phone A vulnerable feature, not a fix.
Google said that they are working with SRL Labs to further investigate the findings: 'Security updates are one of the many layers of protection for Android devices and users. Built-in platform protection, such as application sandbox and security services, Google Game Protection is equally important. These security layers combine the diversity of the Android ecosystem.
advertising
Researcher Nohl does not agree with this statement. The security patch is more than a digital issue (he said that every security patch should be); but he agrees that Google's Android phone is difficult to crack. After Android 4.0, the program is in memory. The random allocation of locations, and the sandboxing mechanism make it difficult for malware to succeed.
The modern so-called 'phone attack' can completely control the target Android mobile phone, but it is necessary to use a series of loopholes in the mobile phone software system and not just one.
In contrast to the 'hard-breaking' approach, it is better to guard against soft hacks, those rogue software that is in the Google Play Store, or software that tricks users into installing from unknown sources. People are often called The free or pirated software deception, this method is not high in technology content, in fact, belongs to the category of social engineering.
The reason why manufacturers and users recommend that all available security patches are installed is to prevent zero-day loopholes, which are generally discovered immediately after being exploited by malicious people. In many cases, they may use known yet Patching loopholes to assist in attack. So there is a 'defense in depth' security principle: Each missed patch is a potential layer of protection. You should not leave potential for hackers, you should install all patches.