Nearly 3 Million Android Phones Vulnerable To OTA Update Hijacking
At the center of the discussion this time around is the Ragentek firmware used on a number of Android smartphones. Researchers from BitSight Technologies discovered two internet domains that were hardwired into the firmware. Until recently these domains were unregistered, so BitSight took it upon itself to register the domains to do a bit of testing.
With BitSight now in possessions of the domains, it discovered that 2.8 million unique devices have sought to connect using the exploit. The firmware dangerously allows apps with escalated privileges to be installed, with BitSight writing, “The fact that the device reached out to defined head-ends immediately after initialization implies that the devices are affected by this issue out of the box, and were not subsequently compromised through other means, such as through a subsequent update.”
One BitSight researcher took to Twitter to describe the scope of the vulnerability:
@dangoodin001 We're seeing lots of connections coming from all sorts of sectors, including healthcare, government and banking. Scary stuff.— João Gouveia (@jgouv) November 18, 2016
The man-in-the-middle attack (MITM) that is possible with this type of exploit is compounded by the fact that Ragentek does not encrypt communications sent to and from affected Android devices. Even more damning is the fact that code-signing is also not employed, which would allow a remote attacker to execute malicious code with root privileges using the over-the-air update mechanism.
Of the nearly 3 million Android devices that are affected, 55 different models are caught up in the mix. Unfortunately for BLU, whose devices were fingered in last week’s exploit, six of its current models are affected by this firmware malady. In fact, BitSight’s examination of the MITM attack took place on a BLU Studio G, which purchased from Best Buy. According to CERT, BLU has issued an update to address the issue on its phones.
It should be noted that while BitSight is in sole possession of two domains that are hardwired into firmware (and thus saving millions of Android users from potential attacks), there is still one registered domain that could leave users open to attack.