Exploit resellers report glut of iOS vulnerabilities, will pay more for Android bugs

Posted:
in iOS edited September 3
Software vulnerability brokers have lowered payout rates for iOS exploits, saying a recent "flood" of iPhone zero-days makes the bugs less valuable than comparable attacks designed to penetrate Android.

iOS Exploit


Exploit reseller Zerodium on Tuesday announced higher going rates for Android vulnerabilities, with the firm now paying out up to $2.5 million for so-called zero-click zero-days, reports Motherboard.

As the value of Android exploits increases, the market health of zero-days designed to thwart iOS protections stagnates due to what can be characterized as a supply glut. Zerodium, for example, pays out $2 million for zero-click vectors targeting iPhone, and decreased payouts for one-click attacks from $1.5 million to $1 million, the report said.

Zero-click exploits refer to vulnerabilities that can be leveraged to hack a device without user interaction, while zero-days are defined as bugs, exploits and other flaws that are as yet unknown to platform operators. Zero-days are particularly prized assets for hackers -- both lawful and nefarious -- looking to break into locked-down devices like iPhone.

"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Zerodium founder Chaouki Bekrar. "They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them."

The director of exploit buyer Crowdfense, Andrea Zapparoli Manzoni, agrees with Bekrar's assessment of the market, but notes not all iOS chains are "intelligence-grade." Still, it appears the supply of vulnerabilities more than sates demand.

Bekrar added that Android is becoming increasingly difficult to crack, in part due to fragmentation. The multi-version, multi-device nature of Google's operating system has long been considered a weakness in terms of consistency and stability, but it is this very "feature" that might prove useful in protecting against widespread attack, the report said.

"Android is such a fragmented landscape that a 'universal chain' is almost impossible to find; much harder than on iOS which is a 'monoculture,'" said Zapparoli Manzoni.

Bekrar elaborated, saying Android's constantly improving security is making bug discovery more difficult for researchers. He seemingly implies Apple is not keeping pace with its iOS efforts.

"The security of Android is however improving with every new OS release. It's very hard and time consuming to develop full Android exploit chains and it's even harder for zero-click vectors (not requiring any user interaction)," Bekrar said. "We believe that the time has come to pay the highest bug bounty for Android exploits until Apple re-improves the security of iOS components such as Safari and iMessage."

As noted by Motherboard, brokers like Zerodium and Crowdfense comprise only a subsection of a much wider market dealing in software vulnerabilities. Other players include firms who broker deals solely with law enforcement and government agencies, regional research firms and rogue actors.

Zerodium's new bounty pricing arrives days after Google's Project Zero announced the discovery of a massive iPhone hacking operation. Over a period of what is thought to be years, a series of hacked websites took advantage of multiple vulnerabilities to disseminate a software implant capable of swiping sensitive user information and tracking the location of modern iPhones running the latest versions of iOS.

A follow-up report claimed the Chinese government used the hack to monitor Uyghur Muslims.

Comments

  • Reply 1 of 20
    It’s not as if Apple would have difficulty attracting talent and hiring them. I wonder why they’re dropping the ball on exploits. They should be leading the pack.
    cat52tyler82
  • Reply 2 of 20
    I have no doubt there’s a large number of zero day exploits out there (over the course of a year). But, I’m not buying what this guy is selling.

    The goal is to infect the most number of devices, that determines the “value” of an exploit.  There are more Android devices out there so naturally they’re worth more.  There’s no “glut” of iOS exploits affecting price.

    The easy way to attack any device with a browser is the browser itself.  The question is if social engineering is even easier with a browser, getting people to go to infected sites, or to download an infected app.

    Is Apple’s “walled garden” App Store still better?  Probably...

    Google does spend quite a bit on security, so it’s possible they’ve done a better job sandboxing the apps.  But, it’s not likely given they’re given deeper access to the system.

    The biggest suspect thing that was said was about the fragmentation of Android being a positive.  That has to be B.S.  There’s a huge number of Android devices not getting updates, that means any exploit is going to have longer legs.  If the fragmentation is referring to hardware, then it’s possible.  Hardware related exploits would be the most difficult to find.  So, while Apple would be more effected by an exploit, I’d think the number of exploits found would be small.

    My main takeaway is Apple needs to focus on browser security.  Last I checked, iOS device users are heavy browser users, so the importance of making Safari rock solid (with regards to security) can’t be understated.  All the browsers on iOS use the same underpinnings unlike Android so that’s a huge potential problem.

    Safari also does not allow browser plugins on iOS.  Many of those plugins improve the browsers security (like NoScript).  Apple has talked about a “desktop class browser” on iPad OS...so maybe that will change.
  • Reply 3 of 20

    The biggest suspect thing that was said was about the fragmentation of Android being a positive.  That has to be B.S.  There’s a huge number of Android devices not getting updates, that means any exploit is going to have longer legs.  If the fragmentation is referring to hardware, then it’s possible.  Hardware related exploits would be the most difficult to find.  So, while Apple would be more effected by an exploit, I’d think the number of exploits found would be small.

    Too much to unpack so I'll look at one issue.  That's not BS.  Fragmentation is not about hardware.  It's about OS.  Very few devices run pure Android.  In fact, most don't.   Most actually run Samsung's flavor, some generic knockoff, or in the case of China, one of their branded offshoots.  So a vulnerability in pure Android might/might not affect Sammy's phones, might/might not affect LG's phones, and same with any of the Chinese variants.  Haven't even mentioned Amazon's flavor of Android.  Android vulnerabilities can sometime require a bit of specificity because there is no one version that rules them all.  Add to that vulnerabilities can sometimes be update specific and you have a veritable guessing game of which freakin' version of Android is vulnerable to what.
    muthuk_vanalingamgatorguyFileMakerFeller
  • Reply 4 of 20
    seanismorris, I agree with you that many of the inferences in the article are poorly justified and not credible.  The claim that a “glut” of exploits for iOS is responsible for the lower price of exploits being sold suggests that there is a limited budget for such sales and the prices fall when there are too many of them.  I don’t think that there is evidence for such market limits.  

    One would also imagine that the more malicious and damaging the exploits, the higher price that organizations would pay for them, suggesting that Android exploits are more malicious and damaging.  

    As you point out, the other reason why prices for Android exploits are high is because there are more Android users.  

    More exploits for iOS is consistent with the greater wealth of iOS users.  The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
    edited September 4 cornchipuraharalolliver
  • Reply 5 of 20
    wisey said:
    seanismorris, I agree with you that many of the inferences in the article are poorly justified and not credible.  The claim that a “glut” of exploits for iOS is responsible for the lower price of exploits being sold suggests that there is a limited budget for such sales and the prices fall when there are too many of them.  I don’t think that there is evidence for such market limits.  

    One would also imagine that the more malicious and damaging the exploits, the higher price that organizations would pay for them, suggesting that Android exploits are more malicious and damaging.  

    As you point out, the other reason why prices for Android exploits are high is because there are more Android users.  

    More exploits for iOS is consistent with the greater wealth of iOS users.  The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
    Definitively neutralized... Until they come back! :smile: Just kidding, even though, that actually happened a few weeks ago. I wish Apple would start to care a bit more about the quality of its expensive products. EDIT: typo.
    edited September 4 superkloton
  • Reply 6 of 20
    wisey said:
    seanismorrisMore exploits for iOS is consistent with the greater wealth of iOS users.  The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
    I am not sure two years are rapid. This particularly hack could be here since iOS 10. They are rapid if they know.

    It is not pleasant feeling that hacker has more freedom then me on device, I know there is nothing like completely safe software. It is process.

  • Reply 7 of 20
    Prices drop maybe because those “exploits” are mostly useless?
    edited September 4 lolliverFileMakerFeller
  • Reply 8 of 20
    gatorguygatorguy Posts: 21,106member
    wisey said:
    seanismorris, I agree with you that many of the inferences in the article are poorly justified and not credible.  The claim that a “glut” of exploits for iOS is responsible for the lower price of exploits being sold suggests that there is a limited budget for such sales and the prices fall when there are too many of them.  I don’t think that there is evidence for such market limits.  

    One would also imagine that the more malicious and damaging the exploits, the higher price that organizations would pay for them, suggesting that Android exploits are more malicious and damaging.  

    As you point out, the other reason why prices for Android exploits are high is because there are more Android users.  

    More exploits for iOS is consistent with the greater wealth of iOS users.  The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
    Well, it certainly was not true less than a year ago.
    https://appleinsider.com/articles/19/01/10/zerodium-hikes-bounties-for-apple-vulnerabilities-to-as-high-as-2m

    There's been more Android users for years and they've typically had more money too but Zerodium has previously been paying out more (sometimes FAR more) for iOS exploits. So for you to be correct something has changed. What do you think it is? 

    edited September 4
  • Reply 9 of 20
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base.
    lolliver
  • Reply 10 of 20
    gatorguygatorguy Posts: 21,106member
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base
    Wasn't that just as true in years past when Zerodium was (potentially) paying out far more for iOS exploits? Posters here used that fact used to ridicule the security of Android and use it as "proof" that exploits for that platform were a dime a dozen and of course not worth much. Now that Android OS exploits might be more rare and valuable than those for iOS why wouldn't those same arguments those AI posters used be valid now? Personally I don't believe they ever were just as I argued at the time. Where's @NHT and @ericthehalfbee?
    edited September 4 muthuk_vanalingamGulaak
  • Reply 11 of 20
    lkrupplkrupp Posts: 7,311member
    georgie01 said:
    It’s not as if Apple would have difficulty attracting talent and hiring them. I wonder why they’re dropping the ball on exploits. They should be leading the pack.
    Any reason you put your faith in and believe what criminals have to say about iOS? These guys have vastly inflated egos and like to brag and exaggerate about their exploits, like those YouTube losers who claim you can break into a locked iPhone with a couple of button presses. If that were the case then why is law enforcement upset about not being able to get into iPhones?
    edited September 4 lolliver
  • Reply 12 of 20
    lkrupplkrupp Posts: 7,311member
    gatorguy said:
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base
    Wasn't that just as true in years past when Zerodium was (potentially) paying out far more for iOS exploits? Posters here used that fact used to ridicule the security of Android and use it as "proof" that exploits for that platform were a dime a dozen and of course not worth much. Now that Android OS exploits might be more rare and valuable than those for iOS why wouldn't those same arguments those AI posters used be valid now? Personally I don't believe they ever were just as I argued at the time. Where's @NHT and @ericthehalfbee?
    On yesterday’s MacBreak Weekly show Lory Gil, senior editor at iMore, put it best when the topic of Google’s zero-day report came up. She said Apple’s marketing emphasis on security and privacy is inviting the entire world of both good and bad actors to say in effect, “Oh yeah, let’s just see about that.” The incentive to knock Apple off its high horse on this matter is like waving a red cape at an enraged bull. Apple has because its own propaganda placed a giant target on its back and the security crowd is foaming at the mouth to take Apple down a notch or two. Worse, the typical iOS user has bought into this propaganda that iOS is impenetrable and they don't have to worry about security if they just keep their software up to date. In the matter of security it would appear the emperor has no clothes.
    muthuk_vanalingam
  • Reply 13 of 20
    patsupatsu Posts: 430member
    gatorguy said:
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base
    Wasn't that just as true in years past when Zerodium was (potentially) paying out far more for iOS exploits? Posters here used that fact used to ridicule the security of Android and use it as "proof" that exploits for that platform were a dime a dozen and of course not worth much. Now that Android OS exploits might be more rare and valuable than those for iOS why wouldn't those same arguments those AI posters used be valid now? Personally I don't believe they ever were just as I argued at the time. Where's @NHT and @ericthehalfbee?
    The payout for so-called Android full exploits is just marketing fluff. Hackers don’t have to deliver 1 chain for _all_ Android devices. For mass hacking, they only need to target a handful of brands and can reach most users, which is easy. Zerodium will still pay for them, but significantly cheaper; still dead effective against users though. For high value vertical industries like banking, they target Android and Windows app weaknesses, especially those white box applications. There are too many integration points in these Android and Windows roll outs because they are fragmented. Even though Google try to pull a fast one by just focusing on a small part (just Android vanilla OS), in reality because many 3rd parties modules, extensions need to work together, it is trivial to find the exploits in these mishmash of software. It’s all part of the user stack even though Google doesn’t (want to) count them.

    iOS security is still stronger because of tighter policies. Safari and iMessage can be improved as quickly and targeted as exploits show up. There is nothing inherently weak about Apple’s update strategies. They can release more frequent update if they want to.

    For the recent Uighur hacks, the hackers had to chain together 14 iOS exploits. That’s a long chain and will use up the number of exploits quickly. Android and Windows are also hacked but the developer community did not get a chance to fix them since the attacks had been dismantled when the iOS hack was discovered (more people scrutinizing iOS). So the vulnerabilities still exist, and we don’t know how easy it is. It may very well be shorter exploit chains but more variety of them. I did a quick check, the iOS exploits in this Uighur hack were fixed more than half a year ago in 12.1.4.

    Apple recently beefed up their bug bounty program. This has also generated huge interests amongst the hackers community. After all, everyone knows Apple has deep pocket. So it is not surprising to have so many submissions these days. Some of them are not good enough to receive payouts from Apple or other buyers, and it will result in people shopping around for payment, submitting duplicated findings. Once the bug bounty program (and of course fixes) kick into high gear, we will have a better idea of the run rate for such things.

    Not to mention hardware security. Most software centric companies ignore these hardware and firmware exploits because they don’t play in this area well. So they barely get any mention in the software heavy blogosphere, but Apple’s hardware security is unmatched so far. Take a look at the T2 chip, and other UEFI work done by their teams. It is a cat and mouse game, but Apple’s approach in integrating software and hardware security is pretty interesting so far. We’ll get to see how things evolve in the long run.

    Coincidentally, a new ”Android” exploit today, from the manufacturers:
    https://apple.news/AgUqxXGueSJG68z0oX2oEJA
    edited September 4 lostkiwilolliver
  • Reply 14 of 20
    lkrupplkrupp Posts: 7,311member
    frantisek said:
    wisey said:
    seanismorrisMore exploits for iOS is consistent with the greater wealth of iOS users.  The fact that Apple responds quickly to the presence of exploits and almost all iOS users upgrade their operating systems relatively quickly means that exploits are more rapidly and definitively neutralized, reducing their value.
    I am not sure two years are rapid. This particularly hack could be here since iOS 10. They are rapid if they know.

    It is not pleasant feeling that hacker has more freedom then me on device, I know there is nothing like completely safe software. It is process.

    But Apple didn’t know. Google’s team notified Apple in February of this year and gave Apple 7 days to fix it. Apple did exactly that. Now, seven months later Google’s team puts out this report and claims these exploits have been around for years. How does Google know that and if they did why didn’t they notify Apple sooner?

    But bottom line Apple has the ability and almost infinite resources to create its own zero-day research team that is entirely focused on iOS, tvOs, macOS, iPadOS, watchOS. They could hire the very best white and black hats on the planet and pay them well to remain on task and loyal. Apple was recently shamed into creating a bug bounty program that pays decent money for exploits. Maybe they will be shamed into not relying on Google for researching and reporting exploits.
    edited September 4 muthuk_vanalingam
  • Reply 15 of 20
    A few things.

    • If they are turning people away doesn't that imply that more than one team discovered the same exploit? Once you've paid someone for an exploit you're not going to pay another team for the same exploit.
    • Or will you? You can't really tell the second or third team that you've already paid someone. The whole point of a zero-day is having an exploit that's a "secret" so it can be sold to a government or other group that's willing to pay for an unknown zero-day. If you tell them then they might sell it to someone else and suddenly your zero-day is worth much less because the chances it gets discovered goes up substantially if more than one group knows about it.
    • Or do you pay them "less" so you can keep the exploit to yourself and avoid this risk.
    • For the people who are turned away, what do they do? They want money for their efforts so where to go? To another group that buys exploits? Do all these groups talk together? What's to stop a team from selling the same exploit to 2 or 3 vendors and maximizing their profit?
    • Then we have Apple. They also pay for exploits, though not as much as these vendors do. If you're turned away then I can see them going straight to Apple to "get what they can". So by turning people away I think the chances Apple becomes aware of more exploits goes up.
    • Another possibility is people coming to them with minor exploits that simply aren't worth the money and don't work as intended (this was hinted at by Crowdfense saying not all are "intelligence grade". If they're not that valuable then by definition they aren't a risk to users.

  • Reply 16 of 20
    gatorguygatorguy Posts: 21,106member
    A few things.

    • If they are turning people away doesn't that imply that more than one team discovered the same exploit? Once you've paid someone for an exploit you're not going to pay another team for the same exploit.
    • Or will you? You can't really tell the second or third team that you've already paid someone. The whole point of a zero-day is having an exploit that's a "secret" so it can be sold to a government or other group that's willing to pay for an unknown zero-day. If you tell them then they might sell it to someone else and suddenly your zero-day is worth much less because the chances it gets discovered goes up substantially if more than one group knows about it.
    • Or do you pay them "less" so you can keep the exploit to yourself and avoid this risk.
    • For the people who are turned away, what do they do? They want money for their efforts so where to go? To another group that buys exploits? Do all these groups talk together? What's to stop a team from selling the same exploit to 2 or 3 vendors and maximizing their profit?
    • Then we have Apple. They also pay for exploits, though not as much as these vendors do. If you're turned away then I can see them going straight to Apple to "get what they can". So by turning people away I think the chances Apple becomes aware of more exploits goes up.
    • Another possibility is people coming to them with minor exploits that simply aren't worth the money and don't work as intended (this was hinted at by Crowdfense saying not all are "intelligence grade". If they're not that valuable then by definition they aren't a risk to users.

    So it was never about insecure Android to begin with? That's what I've consistently said, but you strongly disagreed:
     "...iOS is far more secure than Android, hence the higher maximum payouts......why would you pay for exploits for Android when there are already several to choose from that still work? And even if discovered they will continue to work for some time on the majority of Android devices."

    IMO that was never valid to begin with. I suspect we now agree. 
  • Reply 17 of 20
    Oh the irony. This is both funny and worrisome. Good for jailbreaking though and I love jailbreaking.
  • Reply 18 of 20
    gatorguy said:
    A few things.

    • If they are turning people away doesn't that imply that more than one team discovered the same exploit? Once you've paid someone for an exploit you're not going to pay another team for the same exploit.
    • Or will you? You can't really tell the second or third team that you've already paid someone. The whole point of a zero-day is having an exploit that's a "secret" so it can be sold to a government or other group that's willing to pay for an unknown zero-day. If you tell them then they might sell it to someone else and suddenly your zero-day is worth much less because the chances it gets discovered goes up substantially if more than one group knows about it.
    • Or do you pay them "less" so you can keep the exploit to yourself and avoid this risk.
    • For the people who are turned away, what do they do? They want money for their efforts so where to go? To another group that buys exploits? Do all these groups talk together? What's to stop a team from selling the same exploit to 2 or 3 vendors and maximizing their profit?
    • Then we have Apple. They also pay for exploits, though not as much as these vendors do. If you're turned away then I can see them going straight to Apple to "get what they can". So by turning people away I think the chances Apple becomes aware of more exploits goes up.
    • Another possibility is people coming to them with minor exploits that simply aren't worth the money and don't work as intended (this was hinted at by Crowdfense saying not all are "intelligence grade". If they're not that valuable then by definition they aren't a risk to users.

    So it was never about insecure Android to begin with? That's what I've consistently said, but you strongly disagreed:
     "...iOS is far more secure than Android, hence the higher maximum payouts......why would you pay for exploits for Android when there are already several to choose from that still work? And even if discovered they will continue to work for some time on the majority of Android devices."

    IMO that was never valid to begin with. I suspect we now agree. 

    No we don't agree. Android is inferior to iOS for security and privacy. This is not an opinion but a basic fact. A temporary change in the market prices for zero-day exploits doesn't change this fact, as much as you're hoping it does. Although I understand the desire to try and rub this in the faces of iOS users. After being proven a liar and a shill for so long you have to take these "supposed" victories anytime you can.

    Care to discuss the underlying architecture of Android vs iOS and discuss security from that viewpoint?
    edited September 4 lolliver
  • Reply 19 of 20
    gatorguygatorguy Posts: 21,106member
    gatorguy said:
    A few things.

    • If they are turning people away doesn't that imply that more than one team discovered the same exploit? Once you've paid someone for an exploit you're not going to pay another team for the same exploit.
    • Or will you? You can't really tell the second or third team that you've already paid someone. The whole point of a zero-day is having an exploit that's a "secret" so it can be sold to a government or other group that's willing to pay for an unknown zero-day. If you tell them then they might sell it to someone else and suddenly your zero-day is worth much less because the chances it gets discovered goes up substantially if more than one group knows about it.
    • Or do you pay them "less" so you can keep the exploit to yourself and avoid this risk.
    • For the people who are turned away, what do they do? They want money for their efforts so where to go? To another group that buys exploits? Do all these groups talk together? What's to stop a team from selling the same exploit to 2 or 3 vendors and maximizing their profit?
    • Then we have Apple. They also pay for exploits, though not as much as these vendors do. If you're turned away then I can see them going straight to Apple to "get what they can". So by turning people away I think the chances Apple becomes aware of more exploits goes up.
    • Another possibility is people coming to them with minor exploits that simply aren't worth the money and don't work as intended (this was hinted at by Crowdfense saying not all are "intelligence grade". If they're not that valuable then by definition they aren't a risk to users.

    So it was never about insecure Android to begin with? That's what I've consistently said, but you strongly disagreed:
     "...iOS is far more secure than Android, hence the higher maximum payouts......why would you pay for exploits for Android when there are already several to choose from that still work? And even if discovered they will continue to work for some time on the majority of Android devices."

    IMO that was never valid to begin with. I suspect we now agree. 

    No we don't agree. Android is inferior to iOS for security and privacy. This is not an opinion but a basic fact. A temporary change in the market prices for zero-day exploits doesn't change this fact, as much as you're hoping it does. Although I understand the desire to try and rub this in the faces of iOS users. After being proven a liar and a shill for so long you have to take these "supposed" victories anytime you can.

    Care to discuss the underlying architecture of Android vs iOS and discuss security from that viewpoint?
    You claimed that Zerodium paying more for iOS exploits than for Android was proof of just how insecure Android is. Either the amount they're willing to pay is proof or isn't. So which is it?

    Sure, if you want to discuss the relative security of both platforms have at it, but in a different thread please. Create one and let me know where to find it. This one isn't about which OS is more secure, just whether either one is insecure and if the amount paid for exploits proves it either way as you've often claimed.
    edited September 4 muthuk_vanalingamCloudTalkin
  • Reply 20 of 20
    gatorguygatorguy Posts: 21,106member
    patsu said:
    gatorguy said:
    Just a reminder that exploit costs are to be amortised over the user base. An exploit for a smaller potential base attracts less than the same for a larger potential exploit base
    Wasn't that just as true in years past when Zerodium was (potentially) paying out far more for iOS exploits? Posters here used that fact used to ridicule the security of Android and use it as "proof" that exploits for that platform were a dime a dozen and of course not worth much. Now that Android OS exploits might be more rare and valuable than those for iOS why wouldn't those same arguments those AI posters used be valid now? Personally I don't believe they ever were just as I argued at the time. Where's @NHT and @ericthehalfbee?
    The payout for so-called Android full exploits is just marketing fluff. 

    Coincidentally, a new ”Android” exploit today, from the manufacturers:
    https://apple.news/AgUqxXGueSJG68z0oX2oEJA
    Except it's not an Android exploit. It's an issue involving four specific phone manufacturers where the OS was not the root cause:

    "Check Point researchers said they found that four smartphone makers have not implemented this standard (OMA CP) in a secure manner on their devices.

    Researchers said they were able to send OMA CP messages to devices from Samsung, Huawei, LG, and Sony, which accepted these messages, even if it didn't come from a trusted source.

    Of the four phone brands, the easiest devices to attack were Samsung smartphones. Check Point said this was because Samsung phones accepted any kind of OMA CP message, with no authentication or verification mechanism in place"

    "The good news is that three of the vendors have patched or are in the process of patching this attack vector, after first being notified of the issue in March this year.

    • Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073)
    • LG released their fix in July (LVE-SMP-190006)
    • Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.

    Sony is the only vendor which did not ship a fix."

    edited September 4 CloudTalkinFileMakerFeller
Sign In or Register to comment.