Many brands of cheap Chinese smartphones could be secretly infected by malware via firmware updates, and nearly 3 million smartphone users may be vulnerable to attack as a result, according to security researchers. The U.S. government has issued an alert to users of phones marketed by BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO, although other brands may be affected as well.
These phones are vulnerable because a third-party Chinese software company called Regentek. whose firmware is built into the phones, doesn't encrypt its over-the-air updates, according a reports in Security Week, The Register and Ars Technica. The Regentek firmware is hidden and has root privileges. An attacker who hijacked the over-the-air firmware-update process could take complete control of the device, install malware or spyware, get hold of the user's personal information and see everything the user does.
BLU has reportedly issued its own software update to fix the flaw, but other vendors may not have. Until they do, users of those devices should avoid public Wi-Fi networks with no passwords or shared passwords, which would let someone on the same network mount a man-in-the-middle attack.
The affected phones are vulnerable right out of the box, according to researchers at Portuguese security firm AnubisNetworks and its U.S. parent company Bitsight, which discovered the flaw. In fact, AnubisNetworks initially found an even bigger threat to the phones, and closed it.
The researchers found that the Regentek firmware was hard-coded to reach out to three websites for updates — but only one of those sites was actually Regentek. The other two were up for grabs, so AnubisNetworks registered them and set up its own servers.
"If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack," said BitSight's Dan Dahlberg and AnubisNetworks' João Gouveia in a blog posting. "AnubisNetworks now controls these two extraneous domains to prevent such an attack from occurring in the future for this particular case."
But the man-in-the-middle flaw still exists. BLU's update eliminates the vulnerability on its own devices, but none of the other named companies are reported to have done the same. The AnubisNetworks researchers could identify the brand on only about half of the nearly 3 million devices they "saw" pinging their own servers for firmware updates, so there may be many more brands affected.
"The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," Stephen Boyer, chief technology officer at BitSight, said to Ars Technica. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything."
This is the second major flaw found in inexpensive Chinese handsets within the past week. Last week, security firm Kryptowire found another kind of hidden firmware, made by a different company, on millions of phones, including those sold by BLU. That firmware transmitted all of the user's text messages, contact lists, location data and call logs to a server in China, likely for marketing-research purposes. Similar hidden collection of personal data has been found in other Chinese handsets over the past few years.
The Kryptowire disclosure was what prompted the AnubisNetworks researchers to go to Best Buy and pick up a BLU Studio G handset. In less than 48 hours, they had discovered and posted details of the Regentek vulnerability described above.
For a full list of phone models known to be vulnerable to this attack, see the CERT vulnerability alert. Owners of affected phones are advised to contact their phone's makers for more information on updates that will eliminate this particular vulnerability.