Amazon Patches Certificate Vulnerabilities in Fire Phones

Amazon last week patched three vulnerabilities in its Fire smartphones, including two in its Certinstaller package that put devices at risk.

An attacker could take advantage of the vulnerability in the package, which allows mobile apps to install certificates on Amazon Fire devices without user interaction. Encrypted traffic that does not make use of certificate pinning could be hijacked by an attacker sitting in a man-in-the-middle position, researchers at MWR Labs said.

One of the vulnerabilities, MWR Labs said, allows for the silent installation of certificates while the other fails to properly check the device’s unique identifier, or UID. A UID is a unique string associated with a system that allows for outside interactions, such as updates.

The third vulnerability addressed involves Secure USB Debugging, which was not enforced on devices until last week’s updates. Added to Android Kit Kat (4.2.2), Secure USB Debugging allows only certain hosts to connect to a phone via the Android Debug Bridge (adb).

Of the three bugs, the two Certinstaller issues are much more worrisome since they put supposedly secure traffic and communication at risk for intercept. MWR Labs, points out however, that despite the fact that user interaction is not required to install a new certificate, the user is presented with a notice informing them that a new cert has been installed.

“Users are advised to only install applications from trusted sources and exclusively make use of trusted networks,” MWR said in its advisory. “Users that notice any notifications regarding ‘Certificate Installed’ should immediately remove the certificate and uninstall any possibly malicious applications that were recently added.”

Amazon was notified in January of all three security issues and addressed each in an update to the Fire OS last week; users should update to Fire OS 4.6.1.

MWR Labs explains in its advisory that vulnerable versions of the Fire OS incorrectly use the myUserID() function, allowing silent installations of certificates. The failure of this check would allow an attacker on the network to decrypt traffic, redirect it, or trick users into installing a malicious APK file.

The Secure USB Debugging vulnerability is less severe. The Amazon Fire Phone, prior to last week, did not enforce Secure USB Debugging. An attacker exploiting this issue would gain access to the Android Debug Bridge and install malicious applications, bypass the lock screen, access a shell on the device, or steal application data, MWR Labs said in its advisory.

“The device never prompts users to accept new hosts and it is possible to connect via adb even when the device is locked,” MWR Labs said, adding that temporary workaround involves disabling USB Debugging.

Image courtesy ChrisF608