Almost three million Android phones are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said. Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. IT security experts from Tripwire commented below.
Tim Erlin, Senior Director of Product Management at Tripwire:
“This certainly isn’t the first time that a tool intended for support or developers resulted in a security flaw in the shipping product. As an industry, we need to continuously learn and improve from these types of incidents.
This is a good example of where best practices around a secure software development lifecycle are vital to consumer protection. While this might not have been viewed as a vulnerability by the vendor or development team, it certainly contradicts several best practices for building secure software, including core principles around authentication, authorization and encryption of sensitive data.”
Craig Young, Security Researcher at Tripwire:
“Consumers need to push back on vendors to either release updated firmware or refund purchases of affected devices. Moving forward, the vendors must pay far more attention to supply chain security. All third party source code needs to be vetted for intentional and unintentional security hazards.
I would also encourage network administrators to monitor their networks for requests to the domains associated with this backdoor. (This information has been published by CERT and others.) As requests are observed from employee BYODs, admins should report to the users that their device has this security flaw. Having this backdoor on phones accessing corporate data is a huge risk and those devices need to be banned from connecting to email or VPN services.”