Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

The IoT to bring more insecure electronics to the market

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 16, 2016

If you happen to have a Qualcomm Snapdragon CPU in your Android phone or tablet, make 100 percent sure that you get its latest security updates and as soon as possible.

If for any reason you can't, the Internet of Things (IoT) is going to bring more and more un-patchable and very insecure elements into your life, internet security experts say.

To be sure, researchers at security firm Trend Micro have discovered critical programming issues in Qualcomm's kernel-level Snapdragon code that can be easily exploited by a bad app to root the device.

What's really troublesome here is that such programming blunders could have been easily prevented by Qualcomm.

In other words, code installed on or injected into your phone or tablet can use these security flaws to take over the hardware itself and turn it against you to snoop on passwords, snap photos of you, and so on.

Qualcomm boasts that millions of products use its chips, so these bugs will put a lot of people at risk and in more ways than one.

These low-level security flaws have since been patched by Qualcomm, the company said today. The trouble is getting the fixed code onto people's hardware. The updates have to trickle down from Qualcomm to Google to your device's manufacturer to your network carrier and finally to your handheld over the air.

If for whatever reason, security patches are no longer available for your model, or take too long to arrive, that's bad news because it gives miscreants time to exploit the flaws to gain control of your handheld.

And if you don't have a Snapdragon-based gadget, well, there are plenty of other Android security flaws that still need patching ASAP, from mediaserver bugs that can be exploited by video messages to MediaTek Wi-Fi drivers giving apps kernel-level access.

All Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10 devices get their security patch updates directly from Google, so they're safe from the security vulnerabilities.

But this may vary greatly for other devices. Alternatively, you could install a custom firmware like Cyanogen, which grabs and emits Android patches as soon as they are ready, but that's another matter entirely.

"We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk," said Trend Micro engineer Wish Wu.

"Given that many of these mobile devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming," he added.

In various testing, Trend Micro found that the Nexus 5, 6 and 6P, and the Samsung Galaxy Note Edge were vulnerable versions of Qualcomm's code, although it doesn't have access to every handset and tablet to test so the list is non-exhaustive.

The broken code is present in Android version 4 to 6, we are told. Trend Micro's Noah Gamer thinks the state of Android security doesn't bode well for the Internet of Things, where Google's operating system will play a role.

"And smartphones aren't the only issue here. Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things (IoT) meaning that these gadgets are just at risk as well," he added.

"If the IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring that these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with," Gamer asserted.

The first Qualcomm-related security bug (CVE-2016-0819) allows a small section of kernel memory to be tampered with after it is freed, disclosing sensitive information about the kernel's state.

It was patched only last week. The second flaw (CVE-2016-0805) is in the Qualcomm chipset kernel function get_krait_evtinfo, which returns an index into an array used by other kernel functions.

By passing carefully crafted input data, it's possible to generate a bad index, leading to a buffer overflow. That was patched in late February.

Used together on vulnerable Android devices, Trend Micro's researchers say that root access can be easily gained by hackers.

The security team is sitting on the details of exactly how to leverage the flaws until the '2016 Hack In the Box Security Conference' in May. But once that's out, Android smartphone users had better get patching, assers TM's team.

While Google will no doubt be looking for apps that exploit those security flaws, its scanning systems are far from perfect, and any poorly policed third-party app stores will no doubt wind up featuring free games that carry an unpleasant payload.

Source: Trend Micro.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer