DARPA-Funded Service Seeks Flaws In Smartphones

  /     /     /  
Publicated : 22/11/2024   Category : security


DARPA-Funded Service Seeks Flaws In Smartphones


The brainchild of start-up Duo Security, the X-Ray service will let users know whether their smartphones have vulnerable systems software



Beset by malware and malicious attackers, developers in the personal-computer world have found ways to reduce the time between the release of a patch and the installation of the fix on vulnerable systems.    
With Android smartphones and tablets, however, long delays between release and installation regularly leave devices open to attack. About two-thirds of all Android smartphones, for example, are using Android version 2.3, code-named Gingerbread, a major update released more than a year-and-a-half ago, according to the
Android developers dashboard
. Since then, two major revisions -- not including the tablet-focused Honeycomb -- have been released to add features and fix security issues.
Companies and consumers need a way to get smartphone manufacturers and wireless carriers to fix and deploy security issues faster, says Jon Oberheide, chief technology officer for start-up Duo Security. For businesses, the situation is particularly worrisome because most firm have had to deal with workers bringing a host of mobile devices inside of their corporate firewalls.
Its not like patches for the vulnerabilities dont exist, Oberheide says. In many cases, theyve been around for six months to a year, but they just have not been rolled out.
On Monday, the start-up planned to help users get a handle on the problem, thanks to some funding from the Defense Advanced Research Projects Agency (DARPA). The company launched a service that aims to notify device owners when their system software contains unpatched flaws. Dubbed
X-Ray
, the service consists of an Android app to scan the system for known vulnerable systems components, while unknown system files will be sent to Duos servers for further analysis.
[ Bringing your own device to work sounds peachy to employees, but security, regulatory, and privacy issues still need to be worked out on the monitoring side. See
The Mobile Monitoring Mess
. ]
Once installed, the X-Ray app will probe the system and determine what software and which versions are running. Duo Security maintains a database of which software versions still contain eight major privilege escalation flaws that could allow an attacker to compromise an Android smartphone.
The app collects information on the vulnerability, device model, version of the operating system, and carrier information. Duo Security hopes to discover the size of the vulnerable Android population and how long devices in different regions remain vulnerable to known flaws. X-Ray will also be able to discover whether the manufacturers and carriers have reintroduced flaws during regularly scheduled updates.
In the first eight hours, some 15,000 people have tried the application, Oberheide says. We hope the data can provide a spark to get the attention of carriers, Oberheide says. We hope that X-Ray will eventually result in better security and awareness for all mobile users.
Its an effort that other security firms see as worthwhile as well. In its own studies, mobile security firm Lookout found that the update process of different carriers varied, as did the time to patch. By making the patching process more transparent to users, it could create incentives for carriers to patch faster.
Rapid access to security updates is in the best interest of the community as vulnerable devices present an opportunity for bad actors that does not need to exist, Lookout said in a statement sent to
Dark Reading
.
The software project is one of the first to get funding under the Cyber Fast Track program, an initiative managed by DARPA to spur innovative security research by funding small companies and individual researchers. As part of the project, the company plans to port the application to other mobile-device platforms.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
DARPA-Funded Service Seeks Flaws In Smartphones