Tag Archives: Defcon

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.

Voting Machines Hacked At Defcon

Voting Village was the place to be at Defcon if you are interested in the security of your vote.

The sponsors of the village bought 30 voting machines  – many on eBay.

Full disclosure – some of these models are no longer in use, but others are still in use.

One older (in use until 2014) Winvote machine was hacked in seconds.

One Express Poll machine from the great state of Tennessee still had voter information on it for 600,000 voters, even though the machine was supposedly wiped before being sold.  The data was on a memory card and the Defcon hackers were able to take that card and put it in a card reader and read the data.  That tells me that the data was not encrypted.  WHY???????  In this day and age, why would you not encrypt that data?

Defcon plans to expand Voter Village over each of the next three years.  Hopefully the vendors of these machines will see this as an opportunity to improve their security.

To be fair, these attacks went after individual voting machines so the possibility of massively changing the vote using these techniques is not practical.

On the other hand, these friendly hackers only got to spend about 24 hours with these machines.  If they had as much time as a hacker might have, could they do more damage – ABSOLUTELY.  How much damage?  That is unknown.

More likely, state sponsored hackers would likely go after the state and local vote management organizations such as a Secretary of State.  According to DHS, hackers did  attempt to hack these organizations in over 30 states.  What they have not said is how many of these were successful and what did they succeed at doing.  Stealing data is one thing.  Corrupting data is another thing.  Changing data is yet another thing. Finally, deleting data is yet another possibility.

What we definitely will see over the next few years is more good guys hacking machines to improve security – and more bad guys hacking machines – because they can.  This is definitely a cat and mouse game.

Information for this post came from Wired.