• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Vulnerabilities on SoC-powered Android devices have implications for the IoT

Vulnerabilities on SoC-powered Android devices have implications for the IoT

  • Posted on:March 14, 2016
  • Posted in:Industry News
  • Posted by:
    Noah Gamer
1
What do security vulnerabilities mean for the IoT?

Trend Micro has discovered a new vulnerability that could bring into question the security of the Internet of Things. Our researchers have found a hole in the defenses of the systems on chips (SoCs) produced by Qualcomm Snapdragon that, if exploited, allows root access. This gives the hacker administrative authority over the hardware, which enables a wide range of nefarious possibilities. 

So far, Trend Micro security experts have found this vulnerability on the Nexus 5, 6, 6P and the Samsung Galaxy Note Edge. Considering the fact that these devices no longer receive security updates, this is concerning news for anyone who owns one of these phones. However, smartphones aren't the only problem here. Snapdragon also sells their SoCs to venders producing devices considered part of the IoT, meaning these gadgets are just as at risk. 

The IoT has similar updating problems as Android

By all accounts, it would appear that IoT devices are going to have a similar problem with security updates as these Android smartphones. FTC Chairwoman Edith Ramirez said as much during a speech at the 2015 Consumer Electronics show. 

"Moreover, some connected devices are low-cost and essentially disposable," said Ramirez. "If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers."

A large portion of the population already doesn't see the point of updating their systems, and this only pertains to the few Internet-connected devices in their homes. An IoT future, where almost every device in the home will have a connection, is only going to compound this problem further. Add in the fact that some of these devices will be designed to be cheap and "essentially disposable" and it's easy to see why many people worry about the security of the IoT. SoCs like the ones developed by Snapdragon are already making their rounds in IoT devices including certain wearables. If the industry can't find a way to effectively patch these vulnerabilities, there could be massive repercussions. 

Hacking IoT devices could be a major problem in the future

Although hacking can already be used for nefarious means, the implications of an entirely connected world go far beyond that. A great example of this is the discovery of a vulnerability in a new Barbie doll that had the capability of connecting to the Internet, allowing children to effectively have a conversation with Barbie. In November of 2015, an independent researcher named Andrew Hay partnered with BlueBox Security to look into this toy's security capabilities, according to PCWorld. 

They discovered that the doll automatically connected to "any unsecured Wi-Fi network with 'Barbie' in the name." This means that a person could theoretically spoof a network, allow the doll to connect and hear everything the child said to the doll. While this doesn't exactly have many practical uses, it's certainly a frightening concept for any parent. 

But that's nowhere near the worst thing that can be done with IoT devices. In September of 2015, a group of people from the University of South Alabama wanted to see how far they could go with a connected pacemaker. They began tests on an iStan, basically a dummy that realistically simulates the biological processes of a real human. What they found was that they could effectively kill someone by hacking their pacemaker. Mike Jacobs, professor at the university, laid out the extent of the experiment. 

"The simulator had a pacemaker so we could speed the heart rate up, we could slow it down," said Jacobs. "If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient."

Under the right conditions, a hacker could use this insight to kill a patient with a few lines of code. While that's frightening on it's own, the simplicity of this attack is the real concern here. All it took was brute force and denial of service attacks, widely regarded as very low-skill hacking techniques, to breach the pacemaker's defenses. 

What's to be done?

Despite the fact that these examples didn't utilize vulnerabilities in the same way that cyber criminals could by exploiting Snapdragon's SoCs, they show that hacking the IoT is a much bigger problem than exploiting smartphones. That said, it would appear that Android phones and certain IoT devices share a similar problem in terms of security updates. The lower end IoT gadgets may not get the updates they need, as pointed out by Ramirez, which could open them up to serious risk. 

If the IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with. 

Related posts:

  1. Patch Your Servers, Your Phones and your IoT devices?
  2. Android, iOS each have fair share of vulnerabilities
  3. The implications of malware-as-a-service for enterprise IT
  4. How to Set Up Mobile Security on Android Devices

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Nuffield Health Depends on Managed XDR with Trend Micro Vision One
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.