Thanks for signing up, a member of the Global PR team will be in touch with you shortly.
Devices examined by the researchers include the Huawei Mate 9 Pro, the Samsung Galaxy S9, and the Xiaomi Mi 9. The exploitation process for the vulnerabilities and configuration issues, as well as the impact, varies from device to device. What makes the discoveries significant is the implication that the security of devices sold globally offer different levels of security to users in different countries. Depending on the way vendor’s configure devices, this can essentially lower security standards for some people but not others.
According to F-Secure Consulting’s UK Director of Research James Loureiro, the presence of these security issues on popular devices expose the significant security challenges caused by the spread of customized Android implementations.
“Devices which share the same brand are assumed to run the same, irrespective of where you are in the world – however, the customization done by third party vendors such as Samsung, Huawei and Xiaomi can leave these devices with significantly poor security dependent on what region a device is setup in or the SIM card inside of it,” said Loureiro. “Specifically, we have seen devices that come with over 100 applications added by the vendor, introducing a significant attack surface that changes by region.”
For example, the Samsung Galaxy S9 detects the region that the SIM card is operating in, which influences how the device behaves. F-Secure Consulting found that they could exploit an application to take full control of the device when the Samsung device’s code detected a Chinese SIM card, but not SIM cards from other countries.
Research conducted on Xiaomi and Huawei mobile phones found similar issues. In both cases, the researchers were able to compromise the devices due to region-specific settings (China for the Huawei Mate 9 Pro, and China, Russia, India, and others for the Xiaomi Mi 9).
F-Secure Consulting discovered the vulnerabilities over the course of several years while conducting research in preparation for Pwn2Own – a bi-annual hacking competition where teams of hackers attempt to compromise various devices through the exploitation of previously undiscovered vulnerabilities (zero-days).
F-Secure Consulting Senior Security Researcher Mark Barnes says these discoveries highlight a new, potentially very insightful, area of vulnerability research.
“Finding problems like these on multiple well-known handsets shows this is an area that the security community needs to look at more carefully,” said Barnes. “Our research has given us a glimpse of just how problematic the proliferation of custom-Android builds can be from security perspective. And it’s really important to raise awareness of this amongst device vendors, but also large organizations with operations in several different regions.”
F-Secure Consulting demonstrated attacks using these vulnerabilities at several different Pwn2Own competitions and shared their research with the Zero Day Initiative (Pwn2Own’s organizer) and the participating device vendors. All vulnerabilities used in the attacks have been patched.
F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors. More information on F-Secure Consulting is available here.
More information on the research is available on F-Secure’s blog.
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
Sign up for media information from F-Secure.
Browse through our news by year.
Browse through our news by category.