One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8367399 |
| Date de publication | 2023-08-08 11:59:13 (vue: 2023-08-08 18:06:35) |
| Titre | Android 14 présente les fonctionnalités de sécurité de la connectivité cellulaire en son genre Android 14 introduces first-of-its-kind cellular connectivity security features |
| Texte | Posted by Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle
Android is the first mobile operating system to introduce advanced cellular security mitigations for both consumers and enterprises. Android 14 introduces support for IT administrators to disable 2G support in their managed device fleet. Android 14 also introduces a feature that disables support for null-ciphered cellular connectivity.
Hardening network security on Android
The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic. Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE).
When a user connects to cellular networks for their communications (data, voice, or SMS), due to the distinctive nature of cellular telephony, the link layer presents unique security and privacy challenges. False Base Stations (FBS) and Stingrays exploit weaknesses in cellular telephony standards to cause harm to users. Additionally, a smartphone cannot reliably know the legitimacy of the cellular base station before attempting to connect to it. Attackers exploit this in a number of ways, ranging from traffic interception and malware sideloading, to sophisticated dragnet surveillance.
Recognizing the far reaching implications of these attack vectors, especially for at-risk users, Android has prioritized hardening cellular telephony. We are tackling well-known insecurities such as the risk presented by 2G networks, the risk presented by null ciphers, other false base station (FBS) threats, and baseband hardening with our ecosystem partners.
2G and a history of inherent security risk
The mobile ecosystem is rapidly adopting 5G, the latest wireless standard for mobile, and many carriers have started to turn down 2G service. In the United States, for example, most major carriers have shut down 2G networks. However, all existing mobile devices still have support for 2G. As a result, when available, any mobile device will connect to a 2G network. This occurs automatically when 2G is the only network available, but this can also be remotely triggered in a malicious attack, silently inducing devices to downgrade to 2G-only connectivity and thus, ignoring any non-2G network. This behavior happens regardless of whether local operators have already sunset their 2G infrastructure.
2G networks, first implemented in 1991, do not provide the same level of security as subsequent mobile generat |
| Envoyé | Oui |
| Condensat | 1991 200+ 2010 2022 3gpp 3rd Alex Alexon GreenWalt Gukier Jayachandran Robert Stanetsky Thomgraveov Towtene ability able abstraction academic access according acknowledged acm actively activity add additionally address administrators adopt adopted adopting advanced against agencies air alignment all allegedly allowing alongside already also although always android any are aspire assumes attack attackers attacks attempting audit authentication automatically available bar base baseband based been before behavior being believing benefits bluetooth bodies both breaches broader but calls can cannot capabilities carefully carriers catchers cause cellular challenges cipher ciphered ciphering ciphers circuit colleagues combined commercial common communication communications complex compliance comprehensive concept conference configure conform connect connection connections connectivity connects consumers continue continues continuing control controlled controls could critical curb customers data decides decryption defense demonstrated depth designed detailed develop development device devices disable disables disabling discussing distinctive does down downgrade downgraded downgrading dragnet due e2ee eavesdropping ecosystem efforts efforts: emergency employees enable enables enabling encrypted encryption end ensure ensuring enterprise enterprises especially establishes evaluate even events example excited existing expect exploit explore expose exposes false far fasg fbs fbss feasibility feature features first fleet forward fraud from fully functionality funded future generation generations global goal google government grant greatly group groups gsm gsma hal happens harden hardening hardware harm has have herle high highlighted history hostile how however hundreds identified identify identity ignoring impact impacted implemented implications improve improvement imsi includes including inducing industry infrastructure inherent initiative inject injection insecurities instead institutions instrumental intellectual interception internal introduce introduces involved its journalist journey jover keep keeping kind know known lack last latest launched layer leading legitimacy level leveraged likely link local locations logging logs long look major making malicious malware managed management managing many middle mitigating mitigations mobile model modem modern more moreover most multiple mutual nasser nataliya nature necessary network networks new next non not notably now null number obscure obsolete occurs oems off one only openness operating operators opportunities option organization other outcome over packet part participate particular particularly partner partners partnership password payloads pegasus person phishing phones piqueras pixel place platform possible posted potentially powerful presented presents prioritized priority privacy problems program project proof property protect protected protection provide provides radically radio raise ranging rapidly reaching recent recognized recognizing record red regardless regularly release releases reliably rely remotely render reports require research researchers restrict result rewards risk risks robust roger sa3 safe safeguard safety same scenarios scheme security see sensitive service set should shut sideloading signaling significant silently similarly since single smartphone smartphones sms smsishing solve some sophisticated special specific standard standardization standards started starting states station stations stingray stingrays strategy strictly strong subsequent such sudhi sunset support supported supporting surveillance switched system tablets tackles tackling tampering team teams techniques telco telephony term thanks them these thousands threat threats through thus time tools top track traffic transparency traveling tremendous trick triggered trivial troubleshoot trust turn two types unauthorized unciphered unique united upcoming usage usb use used user users using vectors very visibility voice vulnerability ways weaknesses well when whether which who wifi will wireles |
| Tags | Malware Tool Threat Conference |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.