The Vulnerable Android

Recently a story about a vulnerability affecting 95% of Android devices made the rounds. The vulnerability is particularly nasty, in that it can be exploited by sending a SMS message to the target, which in some cases need not even be read by the user, and which can be deleted immediately after the device has been compromised, leaving no visible trace to the user that they have been pwnd. If the thought of this isn’t enough to make you shit your pants, it’s probably because you’re not wearing any. Compounding the problem is the slowness with which cellular carriers typically roll out updates for the phones they sell.

It’s clear that it’s not a top priority for cell carriers to update the software on your handset. If it was, they’d do it in a more timely manner. Once they stop marketing a given model, it becomes increasingly unlikely that they will spend any money in support of it; it becomes their incentive to let your old phone go out of date so that you will have to buy a new handset.

This is clearly not in the interests of the consumer. The distribution model for software updates of the base firmware needs to change. It’s trivial to take app updates from Google Play, but not the Android firmware. For firmware updates, customers have to wait for the carrier to release an update, and then users have to go into the Android settings and find the “check for updates” feature and manually initiate the update, and that’s just crazy. Just as we do not look to our ISP to provide updates for our desktop PC, we should not be looking to our cell provider for these updates either. All devices should have the shortest possible update path — that is, get the update directly from the source of the software. Cell carriers are middle-men who provide packaging, bundling, and distribution, and they need to get out of the way, and let users get updates directly from the software maintainers.

This is especially important when it comes to critical security patches. Customers should not have to root their phone to gain this level of control over a device that they paid for and own.

Consumers should reject business models that call what they buy a “service” or “subscription” or “license” and insist on true ownership. I expect it’s too late for this to change, but that won’t stop me from advocating for it.

Since we do not yet live in this world, Android users need to take steps to mitigate vulnerabilities that they cannot patch.

It’s always a good idea to think about mitigation steps anyway, since it’s always possible for an unknown, undisclosed vulnerability to be present on a system, and so you should always assume that your device is vulnerable, and thus take steps to ensure that if it is compromised, you can accept the consequences of the event. It’s just a little more difficult to come up with mitigation strategies when the vulnerabilities are not known, but not impossible. All that you need to do is use your imagination to think of what could an attacker do with your phone if they got complete access to it, and ask yourself what you can do to minimize the harm and exposure of that.

If you have a smartphone, it’s not much of a stretch to say that You are your phone. Your entire life is in there. Your contacts, photos, web browsing history, your saved passwords, access to your email accounts where you receive password reset requests for all your other accounts. An compromised device also compromises two-factor authentication. If you use two-factor authentication, one of the two “factors” involved is a 1-time key that is sent to your phone via SMS. This, plus your password, are the two “factors” that are supposed to be a more secure form of authenticating than just using a password alone. But if your phone is compromised, and the 1-time key is sent to your phone, and therefore shared with the attacker who pwnd your phone, two-factor authentication is no longer effective at protecting you. And if the attacker can read your password reset request emails, and use them to gain control over your other accounts, that’s a very serious liability. Once your attacker has access to all your accounts, they can deny you access to them, and start impersonating you.

To mitigate these risks, I recommend the following:

  1. Stop treating the google account associated with your android devices as your “home” or “primary” account. Keep the minimum information and stuff in the account that you need in order to make the phone useful for you, and have that account be a “throwaway” account, which you can discontinue using if it gets compromised. I guess that probably means just using it for storing your contacts, and maybe for photos backups.
  2. Do not use the google account associated with your android devices as a point of contact for password resets. Create a secret email just for password resets, and use it only for that purpose. Don’t log into that account from your android device. Of course, most services will send you other mail to the account you use for password resets, so you’ll have a hard time using your password email only for that purpose, but limit your use as much as possible, so you do not become overly reliant on the account for other uses.

Do you have any other ideas for limiting the value of your compromised phone or tablet to an attacker? Comment below with your ideas.

Leave a Reply