FUD fighting: Every smart device has unpatched vulnerabilities

OMG! Have you heard? Half of all Android devices have unpatched vulnerabilities, and are out there, sharing the same air as we are! The horror!

That's the feeling you'll get if you poke around the Internet today and read a blog or two, where folks are talking about a study from Duo Security, a company that sells authentication software to be used on smartphones. They even have a nifty little app you can install to check your Android device to see if it's vulnerable. The app isn't in Google Play, but it's linked at the bottom of the post if you want to check it out yourself.

Sounds scary, right? That's 50 percent of Android phones, all over the world, all unpatched and ripe for some sort of online hacking has got to be bad. It's the end for Google and Android, and we're all screwed.

Just. Stop.

Here's what's going on. The app you can download runs and scans your device to see if any of eight popular root exploit holes are still open. These are things that were patched in more recent versions of Android or newer versions of the Linux kernel. If your phone or tablet is unpatched, you'll get a warning about it. It's all above-the-board, and these exploits probably are unpatched in 50 percent of Android phones.

But what about the other thousands of exploits, or the ones that haven't been made public yet? You can't just use the eight easy ones and call it a day. My Galaxy Nexus is safe, according to this app, but it's sitting there with an unlocked bootloader, rooted, and ready for bad things to happen. You're not getting the full story from this app -- or from the blogs out there talking about it.

But we can help.

Every piece of smart electronics you own is unpatched against vulnerabilities. Every single one. Probably more than one vulnerability as well. That means your Android phone, or your iPhone, or your laptop, or even your DVD player. There is no way to create software that can't be exploited, and we see that daily. The 256-bit AES encryption on a bootloader means you'll have to find another hole and exploit it another way. There are people out there smarter that you and me who will find a way to crack into anything with a user interface as long as it's popular enough to care about.

That doesn't mean device manufacturers get a pass, though. If Google can make the Galaxy Nexus safe from popular exploits, that means that Samsung, HTC, Motorola and the rest can do it as well. If you want to provide a device with your own software on it, you're responsible to maintain that software for the reasonable life of that device. For us, that means at least for the warranty period or the length of any contract we may have signed with a carrier. If you can't do that, you have no business putting your own custom software on a device. 

But for this current round of Android hate, feel free to quietly chuckle and nod. FUD happens, but your phone is as safe as your cable box, and unless you're doing something you probably shouldn't be you won't have any issues. 

Source: Duo Security; via BGR

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Maybe I should be wearing aluminum foil on my head but am I the only one that finds it interesting that this story was released 1 day before the iPhone 5 goes on presale?
  • I hate when you get logical, can you please specialize in non-sense rantings that will make me want to ditch all my tech and wear a tin foil hat? That would be great!
  • grr... he stole my tin foil joke by 9 seconds.......
  • would have been by 15 seconds but I had to spell check "aluminum"! (Never could properly pronounce that word)
  • are you from England? just wondering...
  • Aluminium ... simple. ;)
  • BGR has long ago jumped the shark and stopped being anything but an unofficial mouthpiece for Apple. Every other article is an outright bashing or or a backhanded compliment of anything Android. It may be a great way to drive traffic to their site, but they've lost yours truly as a reader a while ago. Balanced and unbiased reported and blogging is a rare commodity these days. Hope you guys stay true to to this ideal.
  • You mean like cnet?
  • Are you honestly trying to say cnet is unbiased? I'm pretty sure they are another pro-Apple site.
  • Wait a minute. It's an app that's not in the Play store. That means you have to turn on the option to allow apps from unknown sources before you can install it. So, step 1 is turn off one of the things that's protecting your phone? WTF? I can't get excited about these "vulnerabilities". You wanna make me happy? Ignore every one of them and let me have a damned firewall without needing to root my phone. Freakin' iptables works great. Give it a pretty gui, roll it into aosp as part of permissions for every app, and call it a day. A year or two after that, Apple will invent it and we can all have a party.
  • What would be even better is if this app then rooted your phone for you. That would make it very handy.
  • Douglas Addams wrote "We need rigidly defined areas of doubt and uncertainty." Even the most locked down systems ever made have vulnerabilities,. It is the truely open ones that get patched quickly. Now . . . where did I put my tin foil hat.
  • The real problem with the headline wasn't what it said; it was what it implied. To say that half of all Android phones have unpatched vulnerabilities is to imply that half of them don't, and that's just ridiculous.
  • It's true I've been saying this for a while too. It's nothing but FUD from these companies that do studies about malware, and conveniently also sell the software.
  • It would be beautiful if this app required root to run.