Multiple holes in Amazon Fire phone, says MWR Labs

If you aren't rocking OS 4.6.1 on your Amazon Fire phone, then you could be hacked to bits, says MWR Labs' Bernard Wagner.

In recently published papers, he details security exploits that could leave your Fire phone wide open, including silent certificate install flaws and insecure USB debugging.

It's the latest in a long line of mobile phone vulnerabilities to hit myriad brands.

The Android Debug Bridge (adb) command line tool helps with development and debugging, and Secure USB Debugging was added to Android 4.2.2 and later to limit the number of hosts able to connect through adb by requiring the device to be unlocked and the user to accept connections.

However, the Amazon Fire Phone – running a modified version of 4.2.2 – did not enforce this. In mitigation, the vulnerability is only exploitable if USB debugging is enabled.

If an attacker were able to gain adb access to the device, they could install and uninstall applications, bypass the lock screen and steal data among other things.

The silent certificate flaw stems from an error in the implementation of the myUserId() function which, Wagner said, would return 0 for any application. This means that the Fire phone allows applications to install certificates without any intervention from the user.

“If the vulnerability was to be successfully exploited, all encrypted traffic that does not make use of certificate pinning could be intercepted in a Man-in-The-Middle attack,” he said.

In mitigation, users would see a notification that a certificate had been installed, and the pre-patch advice was to look out for these notifications and take action immediately to remove unwanted certificates and the potentially malicious programs that had installed them.

However, hope is at hand. MWR has been working with Amazon on these vulnerabilities for several months and recommends that all Fire phone users upgrade immediately to OS 4.6.1 which addresses all of these problems.