In an analysis of Duo’s dataset of Android phones used as a second factor in two-factor authentication, we found that 60 percent were vulnerable to these attacks, as they didn’t have an Android monthly security patch update installed on their phones in January 2016. That’s when Google rolled out a patch to the first attack (CVE-2015-6639).
Yesterday, Gal announced and demonstrated another serious attack on the same group of affected phones, resulting in a bypass of the phone’s full disk encryption. To execute this, an attacker could exploit CVE-2016-2431—also discovered by Gal—to break through the levels of trust and privileges that are intended to ensure only legitimate code can access secret material, such as DRM or disk encryption keys.
This attack was patched in the May security update. Duo Labs recently analyzed our dataset again to measure how many of these phones would be vulnerable to the most recent attack because they haven’t installed the May update.
Compared to 60% of Android phones that were vulnerable to the Android attack in January, the security posture of our dataset has improved slightly, with 57% of Android phones vulnerable to the latest attack.
One of the most popular phone models in our dataset, Galaxy S6, improved significantly from 0% patched (January update) to 75% patched (May update, including all prior updates). With 75% of Galaxy S6s up-to-date, Duo Labs puts it up on the same pedestal as the Nexus series, which were also around 75% patched. Improvement in the security posture of the Galaxy S6 has a substantial impact on overall results, as it dominates our dataset of over 500,000 phones.
Galaxy S5 phones showed a similar, though less dramatic improvement, going from 0.2% patched to 45% patched. Given these improvements in the security stance of Samsung phones, we’re hopeful that Samsung will continue this trend of rolling out security updates at a rapid rate.
Duo recommends that users patch your phones, which is no surprise. If your manufacturer has not yet made patches available, put some pressure on them to do so. As always, we find the only Android devices that we can recommend without major reservations are Nexus and, now, Samsung devices, provided they keep releasing those security updates quickly.
For IT and security folks reading this who are about to have strokes thinking of all the personal devices hitting business applications and VPNs on their corporate networks, we state once again the importance of having visibility and insight into the security health of those devices.
Using an endpoint visibility solution, you can detect any devices (managed and unmanaged) that may be missing important security updates before they access your applications, and set policies to block vulnerable devices from putting your data at risk. That way, you can identify and quickly notify users that may not realize their Android phones are vulnerable to these attacks.