Security researchers claim Android device makers are lying about security patch levels.
Security patches are hard to come by. Many users are left behind the times in terms of monthly security patches. Many device makers simply do not keep up to date on these patches, and to add to the problem, many carriers are not pushing out the updates that they receive from the device makers. The end result is that the consumers are left on old security levels. Now there’s a new fear, and that’s the possibility that these makers are lying to consumers about the patches which they receive.
Security researchers Karsten Nohl and Jakob Lell, from Security Research Labs claim that they have discovered that in many cases, phone makers are missing important patches in what they provide to users, while telling user that they are up to date. The duo claim to have tested 1,200 phones from more than a dozen manufactures for every android patch released in 2017. They claim that it is common for these companies to claim that they have installed patches which they did not.
“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.” states Nohl. While he states that some seem to be purposely misleading consumers, he believes that in most cases, manufacturers are simply missing a patch or two by accident. He does state though, that they found several vendors which didn’t install a single patch, yet moved the date forward by sever months, “That’s deliberate deception, and it’s not very common.”
The researchers graded phone manufacturers by number of missed patches. Google, Sony, Samsung and Wiko scored best with 0-1 missing patches. Xiaomi, OnePlus and Nokia came in with 1-3 missed patches. Next, with 3-4 missing patches was HTC, Huawei, LG, and Motorola. Coming in last were TCL and ZTE with over 4 missed patches. But that’s not telling the entire story.
There are often many parts to a monthly security patch. Different parts of a device receive and require different patches. There could be a patch that is required for the operating system, and a patch that is required for the chipset. The researchers do point out that the chipset plays a big part in these missing patches. Chipsets from Samsung missed very few patches, while chipsets from MediaTek missed 9.7 patches on average. Phone makers receive these chipset patches from the chipset manufacturers. A logical deduction would be that phone manufacturers believe that they are patching their devices with the latest Google Android patch, while never receiving a patch from the chipset manufacturer.
Google has responded to inquiries from Wired stating that it is possible that devices tested by the security researchers may not have all been Android certified devices, meaning that they are not held to Google’s security standards. But that’s not all. Not all phones may need each security patch. Google states that some phone makers choose to simply remove vulnerable features rather than patch it.
“Security updates are one of many layers used to protect Android devices and users,” stated Android product security lead Scott Roberts “Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”
This idea echoes an explanation given by BlackBerry’s Alex Thurber in a blog post from Inside BlackBerry later last year.
“We inject security keys during manufacturing to make sure that you have genuine hardware. We utilize “secure boot” technology to make sure that no malware loads before the operating system and to prevent the operating system from being “downgraded” to a less secure version. We make modifications throughout the Android operating system “stack” to not only harden it, but also to have “triggers” that help identify if there is an attempt to hack the software, you are alerted.
BlackBerry locks down capabilities in the Android OS that could give attackers the opportunity to compromise your device, and our software provides a secure environment that makes it difficult for attackers to find vulnerabilities or perform attacks.
The modifications we make to Android, long before the device is ever used, provide more durable security and require far fewer patches than non-BlackBerry smartphones.”
One aspect which both the security researchers who made these discoveries, and Google agree on, is that missing patches does not automatically make a user’s device open to exploitation. Due to Android’s broad security measures, a single vulnerability is not enough to take over a phone. Malware that can remotely take over an Android device relies on a series of vulnerabilities that can be exploited in a specific way.
“Even if you miss certain patches, chances are they’re not aligned in a certain way that allows you to exploit them,” Nohl says. Instead, he explains, that most malware relies on social engineering, in which malware creators depend on users giving the malware the permissions required to take over a phone. In addition, advanced, state sponsored, hackers are more likely to utilize unknown zero-day vulnerabilities as opposed to known bugs that are included in monthly security updates, even though these bugs can be used in conjunction with zero-day exploits.
Google states that it is working with SRL Labs to further investigate their findings.