Security Experts:

Security Firm Discloses Details of Amazon Fire Phone Vulnerabilities

Recent Operating System Update for Amazon Fire Phone Patches Security Bugs

The operating system update released in May by Amazon for its Fire Phone resolves three vulnerabilities discovered by researchers at information security consultancy MWR InfoSecurity.

Launched in June 2014, the Amazon Fire Phone is powered by an Android-based operating system called Fire OS. Amazon updated Fire OS to version 4.6.1, which is based on Android 4.4 KitKat, in early May. In addition to several new and enhanced features, Fire OS 4.6.1 fixes dozens of bugs.

The changelog published by Amazon doesn’t contain any information on these bugs, but advisories released by MWR detail three flaws which, according to the security firm, have been fixed in Fire OS 4.6.1.

One of the vulnerabilities identified by experts exists in the CertInstaller package. By modifying this standard Android CertInstaller package, Amazon introduced a flaw that allowed third party applications to install digital certificates without user interaction. Malicious actors could leverage the installed certificates to intercept encrypted traffic via man-in-the-middle (MitM) attacks.

Researchers also discovered that the CertInstaller package was also plagued by a flaw caused due to the incorrect usage of User ID validation functions. This also allowed malicious apps to install digital certificates on Amazon Fire Phones.

Another vulnerability detailed by MWR is related to Android Debug Bridge (ADB), a tool used to access functionality and data on a device during development and debugging.

Google added a secure USB debugging feature to Android with the release of version 4.2.2. The problem was that Fire OS had not included the secure USB debugging feature, allowing an attacker gain ADB access to devices that had USB debugging enabled. According to MWR, an attacker could exploit the bug to bypass the lock screen, install and uninstall applications, access a high privilege shell on the phone, and steal data.

These issues were reported to Amazon on January 19. MWR published advisories detailing the security bugs last week. The company said it coordinated the public release of the advisories with Amazon.

This isn’t the first series of Amazon Fire Phone vulnerabilities identified by MWR researchers. Bernard Wagner and Kyle Riley of MWR Labs took part in the Mobile Pwn2Own competition last year and they managed to achieve remote code execution on the Amazon Fire Phone by leveraging a combination of flaws.

MWR says the vulnerabilities disclosed at Pwn2Own 2014 were patched by Amazon within a week. HP’s Zero Day Initiative, the organizer of the hacking contest, disclosed some details on the bugs back in April, and MWR provided additional details in a blog post published last week.

Amazon Fire Phone is designed to automatically download and install software updates when the device is connected to the Internet. Users can also perform software updates manually by downloading the update to a computer and transferring it to the smartphone via a USB cable.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.