Google stepped up its scrutiny of device security several years ago in the wake of the massive Stagefright vulnerability. Ever since then, Android devices list a “patch level” that tells you when its security was last updated. However, Karsten Nohl and Jakob Lell Security Research Labs say that many devices are fibbing about their security patches. Some phones are missing more than a dozen patches.
Each month, Google puts out a new list of Android patches, some of which are minor and others may be critical vulnerabilities. Google rolls these patches out to its Pixel phones right away, but most manufacturers are at least a few months behind. When the update does arrive on a phone, the settings reports the patch level as a month and year. For example, if your phone says you have April 2018 patches, it should be protected from all vulnerabilities reported in Google’s April security bulletin and earlier.
Nohl and Lell have spent two years reverse engineering the updates on more than 1,200 Android phones to see if those patches are all included. They’ve identified a “patch gap” where devices report a specific patch level, but they aren’t protected from all the bugs indicated by that patch date. In some cases, the patch level was a good indicator of a device’s security, but certain devices were missing more patches than you’d expect.
Security Research Labs created the table below to break manufacturers up into groups based on the average number of missing patches on their phones (in 2017 patches). Unsurprisingly, Google never misses patches on its phones, and they’re delivered fastest. Sony, Samsung, and Wiko also averaged between 0 and 1 missing patches. Xiaomi, OnePlus, and Nokia also fare well with 1-3 missing patches. HTC, Huawei, LG, and Motorola are in the 3-4 missing patch group. Then at the bottom, you’ve got TCL and ZTE with an average of 4 or more missing patches.
You could reasonably believe most of this is just an accident and not a result of incompetence or malicious behavior. However, Nohl and Lell found some low-cost phones got updates that were not vetted properly. For example, the Samsung Galaxy J3 missed 12 patches in 2017 that it claimed to have.
There’s one more wrinkle here: the type of chip in a phone makes a difference. Nohl and Lell found that phones shipping with the less expensive MediaTek processors had a much higher incidence of missing patches — an average of 9.7 of them. Device makers rely on chip vendors to release patches for their designs, and MediaTek is notoriously slow to comply with open source requirements.
Does this mean your phone is dangerously insecure? Nohl and Lell don’t think so. Most devices still have almost all the patches you’d expect, and the Android platform has protections like address space layout randomization and process sandboxing to foil attacks. Google should still hold some feet to the fire, though.
Should Spectre, Meltdown Be the Death Knell for the x86 Standard?
Spectre and Meltdown are serious CPU flaws, but do they warrant throwing out the entire closed-source CPU model?
Nvidia Goes All-In On G-Sync With New ‘BFGD’ Ultra-High-End Displays
Nvidia is bringing some of the highest-end displays imaginable to market in 2018, with 4K panels, 120Hz refresh rates, low latency displays, integrated Nvidia Shields, and support for 1,000 nits of brightness in HDR. Yowza.
Huawei’s Phone Deal With AT&T Reportedly Killed On Account of Politics
The upcoming (and unannounced) deal with AT&T to sell the new Mate 10 series was supposed to be the start of Huawei's push into North America, but the deal has reportedly fallen apart at the last minute after AT&T got cold feet, and some sources point to a political cause.
ET Deals Roundup: $200 Gift Card with Samsung 4K TV for $600, $50 Price Drop on Inspiron 15 7000, and more
Ready to upgrade to a 4K television? Maybe you're looking for a new laptop for school, or searching for the perfect camera for an upcoming vacation. Well, there are plenty of discounts floating around this week, so we've put together a list of the hottest deals. If you're looking to save big on new gear, you're bound to find something worthwhile below.