Amazon Fixes Fire Phone Vulnerabilities

Thursday, July 2, 2015 @ 03:07 PM gHale

Amazon’s Fire Phone received an update that resolves three vulnerabilities, researchers said.

Launched in June 2014, the Amazon Fire Phone centers around an Android-based operating system called Fire OS, said researchers at security provider, MWR InfoSecurity.

Android Factory Reset Not 100%
Android Hole Allows Fake Downloads
Androids Vulnerable Hijacking Attacks
Rise in Android App Issues

Amazon updated Fire OS to version 4.6.1, based on Android 4.4 KitKat, in early May. In addition to several new and enhanced features, Fire OS 4.6.1 fixes dozens of bugs.

The changelog published by Amazon doesn’t contain any information on these bugs, but advisories released by MWR detail three flaws which, according to the security firm, ended up fixed in Fire OS 4.6.1.

One of the vulnerabilities identified by experts exists in the CertInstaller package. By modifying this standard Android CertInstaller package, Amazon introduced a flaw that allowed third party applications to install digital certificates without user interaction. Malicious actors could leverage the installed certificates to intercept encrypted traffic via man-in-the-middle (MitM) attacks.

Researchers also discovered the CertInstaller package also had a flaw caused due to the incorrect usage of User ID validation functions. This also allowed malicious apps to install digital certificates on Amazon Fire Phones.

Another vulnerability is with the Android Debug Bridge (ADB), a tool used to access functionality and data on a device during development and debugging.

Google added a secure USB debugging feature to Android with the release of version 4.2.2. The problem was Fire OS had not included the secure USB debugging feature, allowing an attacker to gain ADB access to devices that had USB debugging enabled. An attacker could exploit the bug to bypass the lock screen, install and uninstall applications, access a high privilege shell on the phone, and steal data, MWR researchers said.

Amazon received these issues January 19. MWR published advisories detailing the security bugs last week. The company said it coordinated the public release of the advisories with Amazon.

Amazon Fire Phone automatically downloads and installs software updates when the device ends up connected to the Internet. Users can also perform software updates manually by downloading the update to a computer and transferring it to the smartphone via a USB cable.