Kryptowire discovered vulnerabilities in mobile device firmware and pre-installed mobile apps that pose a risk for the mobile phone supply chain because they can expose consumer and enterprise data on purchase.
This means that the vulnerabilities are present, and the user is exposed to attacks even before she performs any activity such as using wireless communications or installing third-party apps.
Firmware exploits bypass all existing defenses including commercial Mobile Threat Detection (MTD), or mobile anti-virus, technologies because they cannot detect vulnerabilities below the application layer and offer no protection against evolving firmware exploits.
Kryptowire’s technology is capable of discovering vulnerabilities from binary firmware images and applications at scale, allowing us to monitor devices across different manufacturers and firmware versions.
“Our researchers have extended their work that began in 2011 as a DARPA effort to automatically test the security of 3rd party mobile apps without access to source code. We can now do the same with mobile phone firmware,” said Angelos Stavrou, CEO of Kryptowire.
“With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware.”
UEM/MDM platform customers can now identify employee devices that contain firmware vulnerabilities that originate from the software supply chain and take action to mitigate any risk.
This work was supported by the Department of Homeland Security (DHS) Science and Technology (S&T) via award to the Critical Infrastructure Resilience Institute (CIRI) Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign (UIUC).