The feeling of unboxing a new smartphone, looking at its accessories, and starting it up for the first time is always a special one. A lot of people also enjoy setting everything up and fine-tuning it to fit their needs. The best thing, a new smartphone always also represents a fresh start, with a clean new install and no issues, right? Well, not with these 25 smartphones.
Last week at the DEFCON security researchers funded by the Department of Homeland Security revealed that 25 Android smartphones come with 47 vulnerabilities already pre-installed. They are either present in the firmware and / or apps, and basically, make sure your completely new phone is a target as soon as you turn it on for the first time. Even worse: While apps can be removed if they sport issues doing so with the firmware is a lot harder and can cause loss of functionality or worse.
So, how bad is it?
The issues are all over the place and range from being able to lock someone out of their own device to gaining access to different functions like the microphone, retrieving SMS, take screenshots from the screen of the phone, and download apps without the phone owners consent.
Now how is something like this even possible? According to Wired, the nature lies in how Android is being distributed: Every smartphone brand can basically tweak the OS, add own code, and preinstall different apps. While this is, of course, great for the different companies it also comes with issues: The phone’s security. “With the hundreds of mobile phone makes and models on the market and thousands of versions of firmware, best-effort manual testing and evaluations simply cannot scale to address the problem of identifying vulnerabilities in mobile phone pre-installed apps and firmware,” said Angelos Stavrou, CEO of Kryptowire, in their press release.
Which phones are at risk?
While not all of the phones are sold in Europe and the US you are sure to see at least some brands and models you might recognize, like Asus, LG, ZTE and Oppo.
Take a look at the list of devices and some videos showing some of the exploits on the Kryptowire page.