Amazon patches three vulnerabilities in Fire smartphones

Two of the vulnerabilities place secure communication at risk and could allow for man-in-the-middle attacks.


Amazon has patched three vulnerabilities in the Fire smartphone which place user security and communication channels at risk.

Last week, researchers at MWR Labs released a set of security advisories detailing vulnerabilities found within Fire OS, a customized version of Google's Android mobile operating system used by the Fire Phone.

The three vulnerabilities all affect Fire OS versions below 4.6.1. The first vulnerability allows for a silent install of certificates on the Amazon Fire Phone without user knowledge or consent. Incorrect checks within the CertInstaller package, when coupled with a modified source code, can create a fertile ground for exploiting the mobile OS and allowing a man-in-the-middle (MITM) attack to occur, therefore compromising encrypted traffic.

However, as the researchers point out, a notification is still sent to the user when a new certificate has been installed.

"Users are advised to only install applications from trusted sources and exclusively make use of trusted networks. Users that notice any notifications regarding "Certificate Installed" should immediately remove the certificate and uninstall any possibly malicious applications that were recently added," the security advisory (.PDF) says.

The second vulnerability (.PDF) concerns the failure to properly check the device's unique identifier (UID), which is a numeric string used to identify devices and interact with external systems for installs and updates.

The third and final vulnerability (.PDF) relates to a lack of secure USB debugging. As Fire Phone users were not prompted to accept new hosts and it was possible to connect to a device via Android Debug Bridge (adb) even when a device is locked, cyberattackers could potentially exploit the vulnerability through the lack of secure USB debugging enforcement. As a result, an attacker could install or uninstall applications, bypass the lock screen and steal data.

The vulnerabilities were reported to the retail giant on 19 January 2015. In response to the security advisories, Amazon has patched the issues in the latest update, Fire OS 4.6.1, which was released in May. Users running older versions of the mobile operating system should update their devices immediately to protect themselves from these vulnerabilities.

Read on: Top picks