Just the act of Googling “Lollipop security” is reason for pause – who knows what surveillance list that might trigger? But do so and you’ll discover that the presumably amply insured head of Android security doesn’t bother locking the front door to his urban San Francisco home. As Seth Rosenblatt of CNET reports, the exact reason for that complacency is anyone’s guess. And as Rosenblatt notes:
Now Ludwig, the man with the unlocked door, wants you to feel just as safe using your mobile phone and “not think” about Android security, either.
Google has just announced that it’s newest Android release named Lollipop, will have a more robust, on-by-default security offering. Out of the gate, Adrian Ludwig points to the lock screen as “the simplest way to keep the data safe and secure on your mobile device.” And it definitely can be. This alongside full device encryption make a handset extremely resilient to even the most determined attackers.
It’s not all lawlipops and rainbows though. While this is all well and good when properly implemented, Samsung has just demonstrated that these remote controls in the name of “security” aren’t all they’re cracked up to be when implementation is poor. A recent vulnerability (CVE-2014-8346) was found that allows attacks to abuse the remote FindMyMobile security features to lock and unlock Saumsung devices at will.
A YouTube video example demonstrates that Samsung mobile devices do not validate where lock commands originate from. Using this, the researcher was able to lock the device with their own lock codes, thus barring the legitimate owner from their own device. If Android Lollipop were also on these Samsung devices, would attackers have the ability to potentially abuse the kill switch, maliciously bricking devices as they please?
To be clear, Google is not at fault here; the vulnerability lies in Samsung’s implementations. However, it’s not inconceivable that other handset manufacturers may introduce similar vulnerabilities. And while a denial of service due to a remotely configurable lock setting may be inconvenient, the potential for a total malicious wipe of a phone’s data is unsettling.