Tag Archives: Crapware

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.

Laptop Vendor Bloatware Confirmed As Security Nightmare

Everyone is familiar with all of that unwanted software that manufacturers are paid to install on laptops that they sell.  For many people, when they get a new computer, they spend the first many hours installing patches and deleting all of those unwanted applications, which many people lovingly call crapware.  Researchers have confirmed that in addition to being unwanted, that crapware also makes your computer completely compromised from a security standpoint.

Many businesses will take that new laptop, format the disk and install a ‘clean’ version of the OS that they use –  that is actually easier, in most cases, than uninstalling all that crap.

 Duo Security analyzed the ‘driver updater software’ packaged with Acer, Asus, Dell, HP and Lenovo.  Their analysis?

  We broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.[…]The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant – meaning, trivial.  

Duo said that every laptop vendor’s driver updating software included at least one security flaw that allowed the hacker to remote execute code as ‘System’ and take over the device.

The table below (click to enlarge) provides a summary of the underlying design and implementation errors for each of the tested manufacturers.

Bloatware

For consumer users, this confirms my recommendation of uninstalling any applications that you do not expressly need.  My motto is “if in doubt, throw it out!” (meaning uninstall it).  While previously, I had not considered the vendor’s driver updating software to fall in that category, I think that is now something to consider.

For business users, you should have  “gold disk”, which is an image of a brand new, fully patched operating systems with all the application that you use, already installed.   That way, you format the disk, install your version of the (Windows) OS along with all of the applications that you use, make a few tweaks, install the last few patches and you are good to go.  Every business that has more than a few computers should be doing this.

Information for this post came from Softpedia.