Prošli tjedan, na DEF CON sigurnosnoj konferenciji održanoj u Las Vegasu, sigurnosni su stručnjaci objavili detalje o 47 ranjivosti unutar ugrađenog softvera (engl. firmware) i tvorničkih aplikacija na 25 Android pametnih telefona, od kojih se 11 prodaju u Sjedinjenim Američkim Državama. Ranjivosti, koje su navedene u popisu na kraju članka, mogu biti jednostavne greške koje uzrokuju gašenje uređaja, ali i rizični bugovi koji napadačima omogućavaju root pristup uređaju.
Neke od ovih ranjivosti omogućavaju napadačima pristup i slanje SMS poruka sa žrtvina uređaja, preuzimanje preslike ekrana, dohvaćanje imenika te preuzimanje i instalaciju aplikacija bez znanja žrtve.
Ove ranjivosti otkrivene su i u tvornički postavljenim aplikacijama koje dolaze s uređajima, ali i u ugrađenom softveru nekih uređaja koji ne može biti otklonjen bez gubljenja važnih funkcionalnosti.
Proizvođači koje je tvrtka Kryptowire navela na popisu su ZTE, Sony, Nokia, LG, Asus i Alcatel, ali i manji prozvođači poput tvrtke Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee i Coolpad.
“Veliki broj proizvođača i različitih modela čini sigurnosna testiranja veoma složenima, a dosadašnje prakse na mogu odgovoriti na ovaj problem”, kazao je Angelos Stavrou, direktor sigurnosne tvrtke Kryptowire te predstavio novu platformu za automatsko testiranje mobilnih uređaja.
U nastavku prenosimo popis uređaja koji su pogođeni i prodaju se u Hrvatskoj, a ovdje možete pronaći potpuni popis uređaja:
| OEM | Model | OS Version | Description | Attack Requirements | Build Fingerprint |
|---|---|---|---|---|---|
| Vivo | V7 | 7.1.2 | Record the screen and write it to app’s private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed. | Local app on the device that does not require any permissions | vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys |
| Vivo | V7 | 7.1.2 | Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard | vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys |
| Vivo | V7 | 7.1.2 | Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard | vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys |
| Sony | Xperia L1 | 7.0 | Take screenshot of the screen which can be used to examine the user’s notifications. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar | Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys |
| LG | G6 | 7.0 | Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs. | Local app on the device that does not require any permissions | lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys |
| LG | G6 | 7.0 | Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app’s private directory by using path traversal. | Local app on the device and INTERNET permission to send out the data. | lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys |
| LG | G6 | 7.0 | Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard | lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys |
| Asus | ZenFone 3 Max | 7.0 | A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard | asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys |
| Asus | ZenFone 3 Max | 7.0 | Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface. | Local app on the device without any permissions | asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys |
| Asus | ZenFone 3 Max | 7.0 | Take screenshot of the screen which can be used to examine the user’s notifications. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and EXPAND_STATUS_BAR permission is needed to expand the status bar | asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys |
| Asus | ZenFone 3 Max & ZenFone V Live | 7.0 | Command execution as the system user | Local app on the device without any permissions | asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys & asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1709.56-20171017:user/release-keys |
| Alcatel | A30 | 7.0 | Take screenshot of the screen which can be used to examine the user’s notifications. | Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar | TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys |
| Alcatel | A30 | 7.0 | Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device. | The user needs physical access to the device and needs to bypass the screen-lock if it exists | TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys |
