By: Robert Lemos
A software project funded by the U.S. government and developed by a small security startup will put wireless carriers’ patching practices under the microscope.
Smartphone security firm Duo Security plans to release an app for Android phones on July 23 that will check the operating system on consumer devices for known, but unpatched, security flaws. Dubbed X-Ray, the application will detect all privilege-escalation vulnerabilities, which would allow a malicious app to take control of a smartphone, as well as other severe security flaws, said Jon Oberheide, chief technology officer and co-founder of the company.
While developers of desktop operating systems and software have accelerated their patching of vulnerabilities, smartphone manufacturers and wireless carriers are far slower in securing mobile devices.
“Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices,” Oberheide wrote in an email. “We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users’ devices.”
Once installed, X-Ray will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions are vulnerable to the eight major privilege-escalation flaws that could be used by an attacker to take control of the user’s phone. In addition, unknown binaries are submitted to Duo Security’s servers for analysis and vulnerability scans.
“There is a very small number of unique binaries out there in the world, maybe 100 or so different variations and different builds and different models of phones, so we can very quickly gather information on the near-100-percent population or binary variations,” Oberheide said in an interview.
When X-Ray finds a vulnerable smartphone, it will notify the users, who have, unfortunately, a limited number of options. The user can check their carrier for an update, complain to the company, if there is no patch, or jailbreak the phone and install a third-party version of Android.
A typical flaw in the Android operating system must be discovered by researchers, fixed by the original developers, added to the Android source code, incorporated into the firmware for the specific phone make and model by the manufacturer, and finally, pushed out by the carrier to each individual device. It’s a process that can take months to patch a vulnerability, if at all. In July 2011, for example, nearly half of all phones were still vulnerable to the RageAgainstTheCage vulnerability-and a malicious application known as DroidDream that used the flaw-even though the fix had been available in the Android source code for nearly a year.
At some point, Duo may offer a user the option of patching the vulnerability on their phones automatically, but that would require the company’s software to exploit the flaw and use it to patch the system, Oberheide said.
The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by the Defense Advanced Research Projects Agency (DARPA) to spur innovative security research by funding small companies and individual researchers. The initiative, managed by former L0pht hacker Peiter “Mudge” Zatko, has funded some five-dozen projects to date.
As part of the project, the company plans to port the application to other mobile-device platforms.