Home Cyber Security Android 14 introduces first-of-its-kind mobile connectivity safety features

Android 14 introduces first-of-its-kind mobile connectivity safety features

0
Android 14 introduces first-of-its-kind mobile connectivity safety features

[ad_1]

Android is the primary cell working system to introduce superior mobile safety mitigations for each shoppers and enterprises. Android 14 introduces help for IT directors to disable 2G help of their managed system fleet. Android 14 additionally introduces a characteristic that disables help for null-ciphered mobile connectivity.

Hardening community safety on Android

The Android Safety Mannequin assumes that each one networks are hostile to maintain customers secure from community packet injection, tampering, or eavesdropping on consumer visitors. Android doesn’t depend on link-layer encryption to deal with this risk mannequin. As a substitute, Android establishes that each one community visitors must be end-to-end encrypted (E2EE).

When a consumer connects to mobile networks for his or her communications (knowledge, voice, or SMS), as a result of distinctive nature of mobile telephony, the hyperlink layer presents distinctive safety and privateness challenges. False Base Stations (FBS) and Stingrays exploit weaknesses in mobile telephony requirements to trigger hurt to customers. Moreover, a smartphone can not reliably know the legitimacy of the mobile base station earlier than trying to connect with it. Attackers exploit this in plenty of methods, starting from visitors interception and malware sideloading, to stylish dragnet surveillance.

Recognizing the far reaching implications of those assault vectors, particularly for at-risk customers, Android has prioritized hardening mobile telephony. We’re tackling well-known insecurities such because the danger introduced by 2G networks, the chance introduced by null ciphers, different false base station (FBS) threats, and baseband hardening with our ecosystem companions.

2G and a historical past of inherent safety danger

The cell ecosystem is quickly adopting 5G, the newest wi-fi normal for cell, and plenty of carriers have began to show down 2G service. In the USA, for instance, most main carriers have shut down 2G networks. Nevertheless, all present cell units nonetheless have help for 2G. In consequence, when accessible, any cell system will hook up with a 2G community. This happens routinely when 2G is the one community accessible, however this can be remotely triggered in a malicious assault, silently inducing units to downgrade to 2G-only connectivity and thus, ignoring any non-2G community. This habits occurs no matter whether or not native operators have already sundown their 2G infrastructure.

2G networks, first applied in 1991, don’t present the identical degree of safety as subsequent cell generations do. Most notably, 2G networks based mostly on the International System for Cellular Communications (GSM) normal lack mutual authentication, which permits trivial Individual-in-the-Center assaults. Furthermore, since 2010, safety researchers have demonstrated trivial over-the-air interception and decryption of 2G visitors.

The out of date safety of 2G networks, mixed with the power to silently downgrade the connectivity of a tool from each 5G and 4G all the way down to 2G, is the commonest use of FBSs, IMSI catchers and Stingrays.

Stingrays are obscure but very highly effective surveillance and interception instruments which have been leveraged in a number of situations, starting from doubtlessly sideloading Pegasus malware into journalist telephones to a refined phishing scheme that allegedly impacted tons of of 1000’s of customers with a single FBS. This Stingray-based fraud assault, which doubtless downgraded system’s connections to 2G to inject SMSishing payloads, has highlighted the dangers of 2G connectivity.

To deal with this danger, Android 12 launched a new characteristic that permits customers to disable 2G on the modem degree. Pixel 6 was the primary system to undertake this characteristic and it’s now supported by all Android units that conform to Radio HAL 1.6+. This characteristic was rigorously designed to make sure that customers will not be impacted when making emergency calls.

Mitigating 2G safety dangers for enterprises

The trade acknowledged the numerous safety and privateness advantages and affect of this characteristic for at-risk customers, and we acknowledged how important disabling 2G may be for our Android Enterprise prospects.

Enterprises that use smartphones and tablets require sturdy safety to safeguard delicate knowledge and Mental Property. Android Enterprise supplies strong administration controls for connectivity security capabilities, together with the power to disable WiFi, Bluetooth, and even knowledge signaling over USB. Beginning in Android 14, enterprise prospects and authorities companies managing units utilizing Android Enterprise will be capable to prohibit a tool’s capacity to downgrade to 2G connectivity.

The 2G safety enterprise management in Android 14 permits our prospects to configure cell connectivity in accordance with their danger mannequin, permitting them to guard their managed units from 2G visitors interception, Individual-in-the-Center assaults, and different 2G-based threats. IT directors can configure this safety as obligatory, at all times preserving the 2G radio off or making certain staff are protected when touring to particular high-risk areas.

These new capabilities are a part of the excellent set of 200+ administration controls that Android supplies IT directors by Android Enterprise. Android Enterprise additionally supplies complete audit logging with over 80 occasions together with these new administration controls. Audit logs are a important a part of any group’s safety and compliance technique. They supply an in depth document of all exercise on a system, which can be utilized to trace down unauthorized entry, determine safety breaches, and troubleshoot system issues.

Additionally in Android 14

The upcoming Android launch additionally tackles the chance of mobile null ciphers. Though all IP-based consumer visitors is protected and E2EE by the Android platform, mobile networks expose circuit-switched voice and SMS visitors. These two explicit visitors sorts are strictly protected solely by the mobile hyperlink layer cipher, which is absolutely managed by the community with out transparency to the consumer. In different phrases, the community decides whether or not visitors is encrypted and the consumer has no visibility into whether or not it’s being encrypted.

Current reviews recognized utilization of null ciphers in industrial networks, which exposes consumer voice and SMS visitors (resembling One-Time Password) to trivial over the air interception. Furthermore, some industrial Stingrays present performance to trick units into believing ciphering just isn’t supported by the community, thus downgrading the connection to a null cipher and enabling visitors interception.

Android 14 introduces a consumer choice to disable help, on the modem-level, for null-ciphered connections. Equally to 2G controls, it’s nonetheless potential to put emergency calls over an unciphered connection. This performance will enormously enhance communication privateness for units that undertake the newest radio {hardware} abstraction layer (HAL). We anticipate this new connectivity safety characteristic to be accessible in additional units over the following few years as it’s adopted by Android OEMs.

Persevering with to accomplice to boost the trade bar for mobile safety

Alongside our Android-specific work, the crew is frequently concerned within the growth and enchancment of mobile safety requirements. We actively take part in requirements our bodies resembling GSMA Fraud and Safety Group in addition to the third Technology Partnership Undertaking (3GPP), notably its safety and privateness group (SA3). Our long-term aim is to render FBS threats out of date.

Particularly, Android safety is main a brand new initiative inside GSMA’s Fraud and Safety Group (FASG) to discover the feasibility of recent identification, belief and entry management strategies that might allow radically hardening the safety of telco networks.

Our efforts to harden mobile connectivity undertake Android’s defense-in-depth technique. We frequently accomplice with different inner Google groups as nicely, together with the Android Crimson Group and our Vulnerability Rewards Program.

Furthermore, in alignment with Android’s openness in safety, we actively accomplice with prime tutorial teams in mobile safety analysis. For instance, in 2022 we funded by way of our Android Safety and Privateness Analysis grant (ASPIRE) a challenge to develop a proof-of-concept to guage mobile connectivity hardening in smartphones. The tutorial crew introduced the consequence of that challenge within the final ACM Convention on Safety and Privateness in Wi-fi and Cellular Networks.

The safety journey continues

Person safety and privateness, which incorporates the protection of all consumer communications, is a precedence on Android. With upcoming Android releases, we’ll proceed so as to add extra options to harden the platform towards mobile safety threats.

We look ahead to discussing the way forward for telco community safety with our ecosystem and trade companions and standardization our bodies. We can even proceed to accomplice with tutorial establishments to unravel advanced issues in community safety. We see large alternatives to curb FBS threats, and we’re excited to work with the broader trade to unravel them.

Particular due to our colleagues who had been instrumental in supporting our mobile community safety efforts: Nataliya Stanetsky, Robert Greenwalt, Jayachandran C, Gil Cukierman, Dominik Maier, Alex Ross, Il-Sung Lee, Kevin Deus, Farzan Karimi, Xuan Xing, Wes Johnson, Thiébaud Weksteen, Pauline Anthonysamy, Liz Louis, Alex Johnston, Kholoud Mohamed, Pavel Grafov

[ad_2]

Supply hyperlink

LEAVE A REPLY

Please enter your comment!
Please enter your name here