Android manufacturers are ignoring security vulnerabilities and brand-new Android devices can still be readily hacked to infiltrate corporate networks, MWR InfoSecurity's Rob Miller told the BSides security conference on Tuesday.
Miller, a respected UK Android security specialist, revealed how MWR had hacked two Android phones – “the best” offered by their respective manufacturers – before the user had installed any potentially vulnerable apps themselves.
The researchers examined whether they could remotely exploit flagship Android smartphones straight out of the box, exploiting weaknesses in the pre-installed apps provided. The answer was: “Yes, if the manufacturer has made significant changes - which almost all have.”
On one device, as soon as the user began browsing online, MWR was able to use a Man in the m Middle Attack (MITM) to inject custom URI malware – “a single piece of text” – into the vulnerable app and hijack its operation to run any code they wanted.
Describing the attack, Miller said: “It will end up with letting us install any app we want to silently on the phone. It ends up that we can install any app we want, with any permission we want, without any user interaction. So it's pretty bad.”
MWR were also able in this case to use the known Android Master Key vulnerability to overwrite any app on the phone, access its sandbox and for example gain access to secure systems like banking apps.
“What we found was that if you were to ask for certain objects, certain classes, you can get a runtime object and actually execute any code you want and access any function on the phone,” Miller said. “In 30 minutes we had a fully working root exploit for this device.”
Miller said his talk was “slightly Snowdenised, slightly redacted” because MWR have contacted the two manufacturers concerned and they are still in the process of fixing the vulnerabilities exposed.
But he put the blame squarely on the phone manufacturers themselves, rather than the Android operating system.
Miller said “Android has come a long way in the last three years”, with the latest KitKat version 4.4 having strong security features. “Android gets security. It's actually pretty good,” he said.
But he told the conference: “Unfortunately, all these great security features are not being used. The simple issue is right now apparently you cannot sell a phone to the market saying this is the most secure one. You've got to have features. The drive to market is new features, not best security.
“The simple conclusion is you have the manufacturers, the network operators, it's such a rush to get the new features that they are not taking advantage of these new security features or worse they're actually poking holes in the walls.”
Miller warned: “There will be a lot of issues like this; I absolutely guarantee it - because currently these vulnerabilities are kind of being ignored by the manufacturers. If enough of us make enough noise, maybe they'll start doing something about it.”
Miller advised his audience: “With BYOD, you have to plan and know that currently Android can be undermined. For any security currently put on an Android smartphone, the apps that are on that phone can be compromised. Our research shows that for brand-new devices these issues still exist, this issue is not going away any time soon.”
Miller said MWR also examined the significance for corporate users of these flaws, as: “Most people don't carry around their bank details in a text file. If somebody broke into your Twitter account or your Angry Birds game, is it really that bad?”
MWR tested whether the exploits could be used to infiltrate a company with good physical and network security, where employees are allowed to use their personal mobiles in the office.
The researchers set up a scenario where they could use their exploits to compromise an employee's personal phone at a public WiFi spot, then detect when the employee went to the office, and successfully attack other users, phones and devices, even when the company had a safe Guest WiFi network separate to its own.
MWR could use privilege escalation to gain install privileges, and jump from the user's phone on to their desktop.