Yet these vulnerabilities are just fine
One of the security downfalls of Android devices is the profusion of independent device makers and the varying states of attention each manufacturer pays to device security. LG, a major manufacturer with anywhere from 5.8% - 9.6% of smartphone market share (depending on whose report you read) was the focus of a recent vulnerability disclosure. Security vendor Check Point announced two major vulnerabilities unique to LG phones during the LayerOne conference in Los Angeles. Importantly, the public disclosure of the vulnerabilities didn’t occur until after Check Point alerted LG, after which LG issued patches.
The vulnerabilities, if left unpatched, allow threat actors to hijack the devices and exploit user services. This fact underscores the importance of patching, but another notable fact in this case is the amount of FUD used in the reporting of the LG vulnerabilities. Most of the articles I’ve read cite an incorrect—and overinflated—market share for LG devices, even when a hyperlink to the source of market share is included in the text. The Check Point blog itself cites that LG devices “account for over 20% of the Android OEM market in U.S.” while pointing to a comScore survey that shows LG owning 9.6% of the smartphone market, without any data specifically about the Android market. Subsequent reports which obviously stemmed from the blog post on May 29, 2016 misquote the LG market at anywhere between 20% - 28.5% of the total smartphone market. Headlines like “All LG Smartphones can be Exploited” attract eyeballs, and present tense throughout all of the posts are meant to rattle cages, even though the original blog post clearly states, “LG issued fixes for both vulnerabilities.” Does this mean all devices are fixed? Of course not. Does this mean no other vulnerabilities in LG devices are present? One would be foolish to make that assumption.
These particular vulnerabilities, CVE-2016-3117 and CVE-2016-2035, however, appear to be, upon a bit of digging, a current non-issue. The present problem is the FUD-based tactics used in the tech media. Vulnerability exploits are cool and make great event presentations, but they’re only useful if they’re instructive: “This is the method we used to identify some potentially harmful vulnerabilities.” The security vendor undoubtedly publicly disclosed its finding as a way to display its security prowess in this regard. No harm there; Check Point needs to sell security products to remain viable, after all. And the found vulnerabilities themselves do, indeed, look pretty severe if exploited. If. Other than the demo at the event, however, where’s the real-world exploit? Where is the damage?
Don’t mis-serve your own needs
It’s been many years since security professionals have decried the used of FUD as a means for furthering infosec, yet it’s still as persistent as those “APTs”…which, as most of us know, are generally not advanced and not targeting private enterprises, though the state of security is such that adversaries can persist in most organizations’ and countries’ systems. Every media article contains a flashy headline, and even a vulnerability that’s been fixed is attached to the latest and great threats (in the case of these two vulnerabilities, it’s ransomware).
It’s really time to get over the FUD and start focusing on fixing what matters, be that live vulnerabilities or broken processes which allow vulnerabilities in the first place. FUD can help draw attention to a persistent issue sitting quietly and lighting fires, but it doesn’t help make our systems, companies, products, or people more secure. It certainly doesn’t belong in an effort to attract attention to a fixed problem. Only practicing security can do that, and we don’t need FUD to be better practitioners.
More Infosec Articles