The Hack Is Coming From Inside The House
In the past we have seen questionable software pre-installed by the manufacturer which has lead to unnecessary vulnerabilities, Superfish being a prime example. In most cases the software was not specifically designed to be malware, it just turned out to be insecure and rendered products vulnerable to attacks. Recent research done by Trend Micro has revealed that many low cost Android devices don’t just have software installed by the manufacturer that accidentally opened up vulnerabilities, they come with purposefully designed malware installed.
The Android malware, if you can call them that, are included within the firmware and companies are unwittingly exposing their customers to attacks. It turns out the the cost of purchasing firmware to run a device on has plummeted, to the point where reputable developers who charged money for their firmware were driven out of business by predatory developers who didn’t charge much, or anything, to use their firmware. The problem is, as an old Sci-Fi writer once put it, TANSTAAFL.
The free firmware comes with rather questionable and completely undisclosed plug-ins, which is where the developers actually make their money. One example mentioned in the article at The Register is the ability to ‘rent’ a device for five minutes by paying the company that provided the firmware a certain amount of money. In that five minute period the keystrokes, geographical location, IP address and data on a device can be harvested, without the user having any idea it happens.
While Samsung and Google devices use firmware developed in house, any lower cost knockoffs could well have that sort of Android vulnerability baked into it. It is also likely the vast majority of IoT devices all have firmware with these vulnerabilities, and seeing as how it is baked right into the firmware, it is not something that can be patched.