Nearly all Android phones, smartwatches at risk of attack

It’s a dark time for mobile security, with new research suggesting that as many as 95% of Android devices and 100% of smartwatches are vulnerable to attack.

The newly discovered StageFright vulnerability in Android has attracted international attention. StageFright, which has been compared to Heartbleed for mobile phones, refers to a serious flaw in Android’s media playback engine which allows for multiple remote code execution.

Joshua Drake, mobile security expert at Zimperium, believes that the exploit could allow attackers to compromise 95% of all Android devices — an estimated 950 million — simply by sending an MMS with an infected payload.

Users don’t even have to open the MMS to be infected, and a properly designed attack could potentially delete the infected message before a user sees it.

“Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep,” Zimperium Labs said in a blog post. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual — with a trojaned phone.”

Drake said this makes the newly discovered vulnerability “extremely dangerous”.

Google has been quick to issue a patch for the vulnerability. But the nature of the Android operating model means that device manufacturers are responsible for ensuring new devices using customised versions of Android are protected, and mobile operators are responsible for pushing out updates to the OS for their users. This will be a drawn-out, complicated process that could leave users exposed for some time.

David McNeely, Centrify director of product management, noted that attackers consistently use such exploits with the same goal — stealing passwords.

“In this particular case, we need to remember that the mobile device is just another route to our passwords. We need to recognise that mobile devices should be treated with the same security concerns as a laptop or desktop computer,” he said.

“Never store passwords on the device. Enterprises should also implement single sign-on (SSO) and multifactor authentication (MFA) whenever possible, to protect critical apps and eliminate passwords. While carriers and device manufacturers work to get the patches out to vulnerable phones, users should turn off automatic download of MMS content and be wary of MMS messages from unknown senders.”

Nealy also recommended users download patches for other vulnerable apps, including browsers, as soon as possible. “This is a scary-sounding exploit, but if we take steps to make sure there’s nothing to steal, we’ll all stay ahead of the attacks,” he concluded.

As if that wasn’t enough to deal with, new research from HP Fortify focusing on IoT security shows that all 10 tested smartwatches contain significant vulnerabilities.

HP said the results show that smartwatches with network and communications functionality represent a new and open frontier for cyberattacks.

The most common security issues reported include insufficient user authentication, lack of transport encryption, insecure interfaces, insecure software and firmware, and privacy concerns involved with the devices collecting personal information.

“Smartwatches have only just started to become a part of our lives, but they deliver a new level of functionality that could potentially open the door to new threats to sensitive information and activities,” Shane Bellos, HP Software South Pacific general manager for enterprise security products, said.

“As the adoption of smartwatches accelerates, the platform will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.”

The company has urged consumers and businesses to consider security when choosing to use a smartwatch and recommended against enabling sensitive access control functions such as car or home functionality unless the product uses strong authorisation techniques.

Image courtesy of Ervins Strauhmanis under CC