It’s BlackHat week, in case you didn’t know, and that means hackers are trying their best to exploit the most popular technology out there thanks to discoveries of software flaws and vulnerabilities. We’ve already discussed Stagefright to no end, but another big vulnerability threatens the mobile space.
It’s being called Certifi-gate, and the gist of it is that carriers and OEMs who use remote diagnostic tools aren’t protecting those tools well enough. If you don’t know, these tools are used to remotely help users with their phones when something’s gone wrong. It’s usually a last ditch method for some software issues, or it’s used when a customer service rep needs to get into a hidden service menu.
Anyway, the problem is that hackers have found a vulnerability that would allow them to take control of these tools and basically do whatever they want on your device. The vulnerability has to be targeted by an application which a user installs from a third-party source, so if you’re only getting apps from Google Play or only installing apps from third-party sources that you absolutely trust then you should be fine.
As with most vulnerabilities discussed at these security conferences, Certifi-gate has already been disclosed to hardware makers and carriers “months ago,” with some having already started rolling out fixes. HTC says they’ve already been testing fixes and expect to have it out in updates soon for the HTC One M9 and other newer Desire phones. We imagine they’ll also look to get older devices updated in due time.
Check Point, the company who discovered the vulnerability, has gone ahead and made a tool that allows you to check your device to see if it’s vulnerable. Chances are it will spit out a scary result, though without any known pieces of malware targeting the vulnerability out there we aren’t so sure it’s cause to panic.
And listen, folks — this isn’t the first time we’re going to hear of problematic vulnerabilities in Android or smartphones, and it won’t be the last. It’s been magnified in recent times thanks to slick Apple marketing, and this week especially since some of the world’s most accomplished hackers are all trying to find this stuff inside a big convention hall over in Las Vegas. It’s a good thing that this stuff is coming to light, because it means they’ll be thoroughly fixed (if they haven’t been already).
You should remember that most security firms only release a vulnerability report after they’ve already submitted their findings and an appropriate patch to the parties responsible. Part of the reason for that is to make sure competitors can’t get the money they’re entitled to, sure, but we also like to believe a majority of the reason is to help protect the public while software and hardware makers work out the fixes.
So, we’ll be waiting on word from the OEMs and carriers who use these insecure diagnostics tools to see what their plans for patching are, and we’ll be waiting patiently for word on the next big security threat that’s sure to come out and scare the pants off everyone for little to no reason.