LAS VEGAS--(BUSINESS WIRE)--Kryptowire discovered vulnerabilities in mobile device firmware and pre-installed mobile apps that pose a high risk for the mobile phone supply chain because they can expose consumer and enterprise data on purchase. This means that the vulnerabilities are present, and the user is exposed to attacks even before she performs any activity such as using wireless communications or installing third-party apps. To make matters worse, firmware exploits bypass all existing defenses including commercial Mobile Threat Detection (MTD), or mobile anti-virus, technologies because they cannot detect vulnerabilities below the application layer and offer no protection against evolving firmware exploits.
Kryptowire will present the details for over thirty five unique vulnerabilities affecting twenty five Android devices, eleven of which are sold by US carriers, today at Def Con, in Las Vegas. Kryptowire’s technology is capable of automatically discovering vulnerabilities from binary firmware images and applications at scale, allowing us to continuously monitor devices across different manufacturers and firmware versions. More details about these vulnerabilities will be available upon request after the Def Con presentation.
“Our researchers have extended their work that began in 2011 as a DARPA effort to automatically test the security of 3rd party mobile apps without access to source code. We can now do the same with mobile phone firmware,” said Angelos Stavrou, CEO of Kryptowire. “With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware.”
UEM/MDM platform customers can now identify employee devices that contain firmware vulnerabilities that originate from the software supply chain and take immediate action to mitigate any risk. For more information about Kryptowire’s mobile and IoT security analysis technologies and to schedule a demo, visit www.kryptowire.com.
This work was supported by the Department of Homeland Security (DHS) Science and Technology (S&T) via award to the Critical Infrastructure Resilience Institute (CIRI) Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign (UIUC).
The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS.
Kryptowire automatically tests and validates the security and privacy of mobile and IoT firmware and applications to the highest government (NIST, NIAP) and industry standards (OWASP, GDPR). Kryptowire was jumpstarted by the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) in 2011, is based in Tysons Corner, Virginia, USA and has a customer base ranging from government agencies to national cable TV companies.