Android OEMs lie about security patches on software updates
Security Research Labs plans to release a report on what it calls the Android “patch gap,” where phone manufacturers don’t deliver the latest security updates to their products. But they’re not just flat-out exclusions: it’s been found that many manufacturers lie about an update containing a patch when it doesn’t.
In a pre-release consultation with WIRED, SRL researchers Karsten Nohl and Jakob Lell looked at over 1,200 phones and tracked their update records through the course of 2017. The track record for a few manufacturers contains “deliberate deception.”
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl said.
Further complicating the matter is the pure inconsistency of which devices get what quality of treatment: the Galaxy J5 (2016) honestly told consumers about its hit-and-miss patch record while the Galaxy J3 (2016) claimed to have every patch it received, but actually lacked 12 of them — two of them were of “critical” importance.
Keep in mind that security patches have to be executed on multiple individual levels from the phone manufacturer to the OS maker (Google) to the component makers as well. SRL notes that MediaTek was the biggest offender for chip-level patch omissions — those ended up going up the chain to the OEMs and, thus, were missing from the overall software updates. In general, though, cheaper chips have a low priority for security maintenance on the semiconductor companies’ sides.
“The lessons is that if you go for a cheaper device, you end up in a less well-maintained part to this ecosystem,” Nohl said.
SRL normalized the number of claimed patches that were not installed for devices that got an update on or after October 2017:
|0-1||Google / Sony / Samsung / Wiko|
|1-3||Xiaomi / OnePlus / Nokia|
|3-4||HTC / Huawei / LG / Motorola|
|4+||TCL / ZTE|
Google tells WIRED that it is working with SRL and appreciates the data it has obtained. However, the company also chipped some discount to the data, suggesting that some devices tested were not made to certified standards and that some patches weren’t included because the vendor found another solution to fix a vulnerability such as removing a feature. Newer phones, Google says, are hard to crack into even with unpatched holes.
In response to Google’s statement, SRL’s Karsten Nohl said that while it’s unlikely that OEMs have gone as far as circumventing a patch to cover a vulnerability, he agrees that it most hackers will find it difficult to hack an Android phone because of the OS’s base security features like the randomization of file addresses and app sandboxing.
Yet, with a growing amount of malicious code coming from more sophisticated actors, those involved in the Android software development chain shouldn’t chance missing out on patches in the case that a string of holes leads to a perfect strike.
“You should never make it any easier for the attacker by leaving open bugs that in your view don’t constitute a risk by themselves,” Nohl said, “but may be one of the pieces of someone else’s puzzle. Defense in depth means install all the patches.”
Security Research Labs presented its full findings at the Hack in the Box conference in Amsterdam today.
Android is also doing damage control from the recent revelation that only devices featuring the operating system had call and SMS data scraped by Facebook due in part to the software platform’s lax rules on version targeting.