Component suppliers, Android device manufacturers and developers all test their products rigorously. Even still, vulnerabilities — both in hardware and software — can be found on the smartphones and tablets we trust with our sensitive data.
Until a patch for a vulnerability is installed, an affected device is exposed. That’s why fixing vulnerabilities like QuadRooter requires the cooperation of everyone in the Android ecosystem including researchers, suppliers, Google, device manufacturers, and carriers.
- Suppliers: Check Point mobile researcher Adam Donenfeld informed Qualcomm about four vulnerabilities he discovered in its chipset software drivers between February and April, in advance of our public disclosure of QuadRooter. Qualcomm’s research and development teams acted quickly to confirm and then release patches for each of these:
- February 2, 2016: Check Point discloses vulnerability to Qualcomm
- February 10, 2016: Qualcomm confirms vulnerability
- April 29, 2016: Qualcomm releases public patch
- CVE-2016-2503 and CVE-2016-2504
- April 4, 2016: Check Point discloses vulnerabilities to Qualcomm
- May 2, 2016: Qualcomm confirms vulnerabilities
- July 6, 2016: Qualcomm releases public patches
- April 10, 2016: Check Point discloses vulnerability to Qualcomm
- May 2, 2016: Qualcomm confirms vulnerability
- July 28, 2016: Qualcomm releases public patch
- Android Open Source Project: Google included patches for CVE-2016-2503, and CVE-2016-2504 in its July Android security update, and CVE-2016-5340 will be patched by Google’s September Android security update. For CVE-2015-2059, Google now uses a SELinux rule to block exploitable code paths by unprivileged apps.
- Device manufacturers and carriers: Depending on the severity of a vulnerability, device manufacturers and carriers may wait for Google’s comprehensive monthly Android security update. Or, they can also distribute one-off or “out-of-band” patches before the monthly update.
- BlackBerry was the first device manufacturer to release an out-of-band patch to BlackBerry Priv and BlackBerry DTEK50 users who purchased devices directly from shopblackberry.com.
- BlackBerry also made patches available to its carrier partners, which will push these patches out to subscribers who purchased these devices from them.
- Working with the Check Point research team, BlackBerry also confirmed the DTEK50 has mechanisms in place to mitigate CVE-2016-5340 since no exploitable code paths for this vulnerability exist in its security-hardened version of Android.
- Sony and LG are also planning to release out-of-band patches for affected devices.
Check Point is committed to working with stakeholders throughout the industry to ensure users and enterprises are protected from advanced threats. Our team will continue working closely with suppliers, Google, device manufacturers, and carriers to identify vulnerabilities and to notify the Android ecosystem responsibly.
QuadRooter Scanner app for Android
Our QuadRooter scanner app uses code analysis of potential exploit techniques to detect CVE-2016-2504 and CVE-2016-2059 accurately without any effect the user’s device. But for CVE-2016-2503 and CVE-2016-5340, the only way to test if a device is vulnerable is by executing a partial exploit that could cause a device to crash and reboot, a situation Check Point considered unacceptable.
Instead, the scanner app queried the device for the most recently installed Android security update and:
- if the July 2016 update was found, then the device was not affected by CVE-2016-2503.
- if the yet to be released September 2016 update was found, then the device was not affected by CVE-2016-5340.
As out-of-band security patches are made available and installed on affected devices before the July or September Android security updates, this detection method for CVE-2016-2503 and CVE-2016-5340 could return false positive results.
Working closely with the Qualcomm Product Security Team, Check Point made updates to the scanner app that more accurately reflect any QuadRooter risk to a user’s device. It now alerts users if a device is affected by CVE-2504 and CVE-2059, and provides additional information about CVE-2016-2503 and CVE-2016-5340.