It is not uncommon for security researchers to discover backdoors in devices. Oftentimes, these backdoors are in the firmware of cheaply made devices by third-party vendors. There tends to be less oversight in the manufacturing of these products, and as such it is common for the backdoor to be discovered after being on the market a while. Such is the case with a new backdoor discovered by AnubusNetworks.
In a report published on Nov. 17, AnubusNetworks researchers analyzed in detail a backdoor in Android devices that leaves users open to Man-In-The-Middle attacks. The main cause appears to be “an insecure implementation of an OTA (Over-the-air) mechanism for device updates,” which allows for unencrypted transmissions of user data (seen in the MITM attack) and commands to the system as a privileged user.
The OTA updates are created by Ragentek Group, which is a software company based out of Shanghai, China. Additionally, the devices that contain this firmware include nearly all low-cost manufacturers such as BLU Studio, Infinix, DOOGEE, and LEAGOO. AnubusNetworks noted that they have been attempting to work with all the vendors mentioned, but only BLU Studio at this point has been responsive.
Through the work with BLU, AnubusNetworks was able to analyze a particular device, the BLU Studio G, and learn a great deal in terms of how the backdoor functions. Additionally, as a result of the research, BLU Studio has confirmed that they are working on an update that fixes this massive vulnerability.
It is not known at this time how other vendors are responding to the firmware issue, but AnubusNetworks reports that both Google and CERT have done everything in their power to inform all affected parties. It is important to keep in mind that, should you have a device affected by this backdoor, you need to be mindful of the data you are sending. Until this is patched, assume sensitive data is being sent in an unencrypted format that can be easily picked up by an attacker.
Photo credit: Electronic Frontier Foundation