Kryptowire’s recent reports, or precisely the research results presented at the Black Hat USA security conference, revealed that millions of Android devices are vulnerable right out of the box. The Mobile Enterprise Security – Kryptowire – exposed bugs found in the firmware of 10 separate devices which also includes major players like Asus, Essential, LG, and ZTE.
The holes present in the firmware could lead to everything from letting an attacker lock someone out of their device to getting control over the apps or other programs in the device. Most of the attacks, according to Kryptowire, required users to download some kind of malicious software that could take advantage of the holes present in the firmware.
However, their reports majorly blamed the Android’s open nature to be the root cause for this vulnerability. The open-style build allows third parties to insert code to create forked versions of Android, and sometimes can even lead to gaps in the phone’s security.
Talking about the people in the supply chain who inject applications and their own code into devices, Kryptowire’s CEO Angelo Stavrou says that “… it increases the attack surface and the probability of software error… exposing end users to exploits they are not able to respond to.”
Stavrou also questions the efficacy of the patches pushed by device makers by Asus. “The user has to accept the patch. So even if they send it to the phone, you might not accept the update,” he said.