At a time when every day seems to bring more bad news about cyber security in the context of our nation’s critical infrastructure – foreign invasion of industrial control systems, national election tampering by outsiders, challenges retaining cyber talent in our agencies – it was refreshing to see a serious effort funded by the Department of Homeland Security (DHS) highlighted at DEFCON, the flagship conference for researchers focused on offensive exploits that took place earlier this month in Las Vegas.
Specifically, Kryptowire, a commercial offshoot of the Center for Assurance Research and Engineering (CARE) at George Mason University, successfully reported a serious exploitable weakness in commercially available Android devices. Led by professor Angelos Stavrou, Kryptowire is funded by the DHS Science and Technology (S&T) Directorate, and has built up a solid reputation in high-assurance mobile computing security.
What Kryptowire discovered was something that requires a bit of background understanding to fully appreciate: Recognize first, that when university professors like myself teach graduate students about the holy grail of cyber exploits, we tend to focus on the attainment of the following capabilities during an offensive engagement: Ability to execute privileged commands, ability to read information and logs, and ability to modify information and commands.
What we teach our students is that when a targeted resource becomes vulnerable to these types of controls, then a truly serious compromise has occurred. And, worse, when these controls are obtained remotely, the result – unless quickly rectified – is game-over from the perspective of the cyber offense. What the Kryptowire team demonstrated was precisely these types of controls, achieved through pre-installed apps on Android devices from major carriers.
The specific devices addressed include Android models from Asus, LG, and China-based ZTE. The core issue is that these original equipment manufacturers (OEMs) always make software changes to the open Android operating system to differentiate their mobile solution. It is when these software changes include bad code that the problems arise – and there is little Google or any carrier can do about it, other than to coordinate over-the-air patch updates for users.
The technique used to detect these Android problems, which are existent out-of-the-box upon purchase by consumers and business, involved a type of firmware scanning tool that permits focused examination – like with a microscope, so to speak – on the mobile device. This supports deep cyber forensic analysis of the type required to detect exploitable vulnerabilities that might otherwise be hidden. The mobile security community has clearly benefited from the work.
What U.S. taxpayers should recognize is that companies like Kryptowire will often have trouble, in my opinion – which is based on my direct observation of thousands of security start-ups over the years – obtaining sufficient commercial seed funding to build these types of advanced tools. Firmware scanning is such a niche opportunity – albeit an important one – that DHS S&T does a great service by supporting such work. This is our government operating at its best.
If you’d like to learn more about this specific mobile ecosystem vulnerability, additional detailed information is available from Kryptowire on their website. And if you’d like to learn more about the DHS S&T program and how you might get involved in their research and development program (I’ve been a speaker at their fine annual cyber showcase in the past), then check out the information available on their website.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.