Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Google’s Project Zero discovers 11 ‘high-impact security issues’ on Samsung Galaxy 6S Edge

Members of Google's Project Zero held a week-long competition hunting for zero-day exploits on the Samsung Galaxy 6S Edge, and discovered 11 “high-impact security issues.”

In a blog post, Natalie Silvanovich, an engineer on the Android security team at Google, wrote that Project Zero's security researchers chose to work on the Samsung Galaxy S6 Edge because “it is a recent high-end device with a large number of users.”

The research group uncovered numerous security problems that together serve to highlight the staggering challenge Google faces in attempting to resolve vulnerabilities on Android devices.

Samy Kamkar, a security researcher and CTO at Ctrl Me Robotics, told that he believes “almost all of these apply uniquely” to the Samsung phone. This may be comforting, he said, but it is also highly problematic. “While it's nice that these issues don't apply to other phones, there are likely similar issues in other phones – or other issues for each phone.”

The Project Zero team had already worked on Nexus devices, wrote Silvanovich, and “wanted to see how different attacking an OEM device would be.”

“We also wanted to see how quickly bugs would be resolved when we reported them,” she added.

The vulnerabilities that the team discovered included authentication (intent handlers) issues, memory corruption vulnerabilities, lack of verification when unzipping zip files, email flaws that allowed JavaScript to execute, and driver issues.

“I also suspect that they chose Samsung because they had a high confidence that they would find a lot of issues,” Kamkar said. In his own research, Kamkar discovered GM's OnStar vulnerability in August.

John Bambenek, senior threat researcher at Fidelis Cybersecurity told Google faces “higher level challenges” because third-party vendors can layer on their own software and code on Google's devices.

Google's team discovered a flaw in the Samsung email client that allows JavaScript embedded in the message to execute in the email client. This was one of the more problematic exploits, and it remains unfixed.

Bambenek told the capability of JavaScript to automatically render contacts was a flaw “that led to an entire genre of exploits.”

Kamkar said the concern was that the JavaScript would be able to permeate through the entire email system.”

Project Zero also discovered buffer overflows in the phone's drivers. Kamkar told SCMagazine this exploit was especially problematic because drivers involve high privilege code “so exploits can be particularly severe.”

According to Silvanovich, Samsung fixed eight of the 11 security issues. However, it took the company 90 days to create patches for the issues.

Samsung confirmed to via email that eight of the security issues discovered by Project Zero were solved. The remaining three issues will be fixed “over the next couple of weeks.” Google did not reply to requests for comment by press time.

These security flaws are problematic, said Bambenek, but he said the flaws are not “exclusive to Android.”

“Software developers have given me so much job security,” he told SCMagazine, “I'm never going to be able to retire.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.