Current threats to mobile, SCADA, and IoT addressed by Redwall Technologies

Current threat activity

Devices featuring Redwall Technologies are always safer than other devices from the seemingly endless stream of threats against mobile, IoT, and other devices. We monitor the computer vulnerability and exposure (CVE) lists as well as developer sites, mailing lists, android rooting sites, and hacker sites. We frequently download the exploit code and test it in our secure lab. In this section, we highlight a few of the most recent active threats so that users of Redwall-enabled devices may be assured they are not at risk, and users of other devices can ensure they take appropriate steps to protect themselves immediately.

Massive update from Google leaves some holes open, Redwall closes them
Google posted several updates in its latest security bulletin, and Samsung has already picked up many of these. HTC devices, despite one vendor's boasting they bring assurance to those devices, remain critically unpatched, with the security solution apparently helpless against the exploits. Newer Nougat devices also appear to be going unpatched by all major vendors.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


The exploits, detailed in the National Cyber Awareness System notice SB17-044 (Vulnerability Summary for the Week of February 6, 2017), allow local access to elevated capabilities, among other serious conditions. An elevation of privilege vulnerability in the HTC touchscreen driver can be neutered with Redwall, but competing solutions seem to leave the device exposed.

Fortunately for users of any device with Redwall, including Samsung devices, no special considerations are required. Redwall's security monitor detects and thwarts all attempts to gain privileges or access private data. Redwall also trivially blocks the portion of various malware which does not require elevated privileges, and so no threat exists. We always recommend applying the latest updates for almost any system, so users should immediately check your carrier or device manufacturer's site for information, and download any updates. If you are not sure of your device has Redwall enabled, c contact your carrier, plan provider, or IT admin and ask for Redwall to be enabled. No update or special action of any kind is required for Redwall devices.
Redwall devices once again safe from recent privilege escalation vulnerabilities
A new set of vulnerabilities allow attackers to gain root (superuser) privileges on your phone, and additional weaknesses specific to Samsung phones allow attackers to reset or crash your device remotely.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


The vulnerabilities include two in Broadcom's WiFi driver (CVE-2014-9909 and CVE-2014-9910), and two in the SpamCall Activity component in Telecom application on Samsung Note devices (CVE-2016-6526 and CVE-2016-6527) are critical vulnerabilities. Additional weaknesses in the Android bootloader and Audioserver (CVE-2016-8467 and CVE-2017-0398) are more difficult to exploit, but also allow attackers to elevate of alter their privilege level.

Fortunately for users of devices with Redwall, including Samsung devices with Redwall Mobile, no special considerations are required. Redwall's security monitor detects and thwarts all attempts to gain privileges or access private data. Redwall also trivially blocks the portion of various malware which does not require elevated privileges, and so no threat exists. No update or special action of any kind is required for Redwall devices.
Redwall devices safe from the 95 recently patched Android vulnerabilities
2017 is off to a banner start for Android, as Google patches 95 security vulnerabilities. Yet again, none of these were able to compromise even an unpatched device with Redwall Mobile.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


Android's first patch of 2017 fixes everything from Denial of Service attacks to flaws in Qualcomm's bootloader. Twenty-two of these are serious flaws, including a critical privilege escalation flaw. These flaws are building in their velocity and volume, so Redwall always encourages users of non-Redwall devices to immediately apply all patches.

Fortunately for users of devices with Redwall, including the Nexus devices with Redwall Mobile, no special considerations are required. Redwall's security monitor detects and thwarts all attempts to gain privileges or access private data. Redwall also trivially blocks the portion of various malware which does not require elevated privileges, and so no threat exists. No update or special action of any kind is required for Redwall devices.
Redwall devices safe from Qaudrooter and 157 other recent Android vulnerabilities
In November and December 2016, Google has patched 157 Android vulnerabilities. Yet again, none of these were able to compromise a device with Redwall Mobile.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


Android has issued two emergency patches in December, including the 2016-12-01 security patch level and 2016-12-05 security patch level. They attempt to fix everything from remote code execution flaws (e.g., CVE-2016-54[19,20,21]) to denial of service vulnerabilities. Together the close seventy-four vulnerabilities.

That's the bad news. The good news is that last month's patches, 2016-11-05 and 2016-11-06, attempted to close eighty-three Android flaws. So at least December was a better month for Android users, albeit not much better.

Fortunately for users of devices with Redwall, no special considerations are required, as the security monitor detects and thwarts all attempts to gain privileges or access private data. Redwall also trivially blocks the portion of various malware which does not require elevated privileges, and so no threat exists, and had been proven completely effective against Quadrooter and related malware. No update or special action of any kind is required for Redwall devices.
Redwall devices immune to HummingBad
Security researchers have published information on HummingBad, a new drive-by download attack targeting Android devices. As has been the case to date with Android malware, devices with Redwall Mobile are immune.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (medium)
   Other phones with built-in security (high)

According to a report from Check Point, a Chinese group called YingMob is cashing on by infecting Android devices after they visit a Web site modified to deliver malware. The malware gains root privileges on the device, or tricks the user into granting system privileges. The attacks seem to be more prevalent in China and India, and for now seems to be more about revenue generation than data theft.

The good news for Android users is that because this malware seems to partially operate at an app level by installing a service, many malware scanners can detect the threat after the infection. The attack does not seem to be sophisticated enough to use its elevated privileges to fool anti-virus apps yet. Still, users should immediately apply all system updates in case the device manufacturer has addressed the underlying exploit leveraged on your device. User should also beware not to blindly give applications system privileges.

Fortunately for users of devices with Redwall, no special considerations are required, as the security monitor detects and thwarts all attempts to gain privileges or access private data. Redwall also trivially blocks the portion of HummingBad which does not require elevated privileges, and so no threat exists. No update or special action of any kind is required for Redwall devices.
Not a good month for Android - 33 new bugs, but Redwall devices still completely safe
This section typically outlines a new defect in Android, but this time around there are too many to describe in detail; thirty-three to be exact. Fortunately none of these have any effect on Redwall Mobile devices.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


A range of new defects this month allowing attackers to gain privileges or access to data in Android are causing frantic updates throughout enterprises. In most cases, the exploits are delivered via a crafted application. New vulnerabilities include:

CVE-2016-2463, CVE-2016-2464, CVE-2016-2465, CVE-2016-2466, CVE-2016-2467, CVE-2016-2468, CVE-2016-2469, CVE-2016-2470, CVE-2016-2471, CVE-2016-2472, CVE-2016-2473, CVE-2016-2474, CVE-2016-2476, CVE-2016-2477, CVE-2016-2478, CVE-2016-2479, CVE-2016-2480, CVE-2016-2481, CVE-2016-2482, CVE-2016-2483, CVE-2016-2484, CVE-2016-2485, CVE-2016-2486, CVE-2016-2487, CVE-2016-2488, CVE-2016-2489, CVE-2016-2490, CVE-2016-2491, CVE-2016-2492, CVE-2016-2493, CVE-2016-2494, CVE-2016-2495, CVE-2016-2496

Given the widespread nature of the flaws, many devices may never be patched, however most vendors are working on or have completed updates to close these new weaknesses. Non-Redwall users should take care to check for and apply all firmware updates to all their devices with all dispatch, and monitor US-CERT Cyber Security Bulletins at https://www.us-cert.gov.

Fortunately for users of devices with Redwall, no special considerations are required, as the security monitor detects and thwarts all attempts to gain privileges or access private data, even if a trusted, signed application or driver attempts these exploits. No update or special action of any kind is required for Redwall devices.
Android falls prey to another TrustZone attack - Redwall keys still safe
Researches have found another way to break through the TrustZone barrier which so many security packages depend on. Attackers can access memory that is supposed to be "secure" and use that access to attack nearly any app or leak sensitive information such as encryption keys.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


CVE-2015-6639 describes a bug that allows an application to leverage the Qualcomm Secure Execution Environment Communicator (QSEECOM) to execute code inside the privileged TrustZone environment. TrustZone is supposed to strongly separate "Normal World" apps and data from "Secure World" apps and data. This weakness in the separation mechanism has broad-reaching attack possibilities, and means that the "Secure World" is no longer "Secure."

Fortunately for users of devices with Redwall, even TrustZone is untrusted by Redwall Mobile's security monitor. No special considerations are required, as the cryptographic keys are not stored in TrustZone, and the Redwall's cryptographic module does not trust TrustZone, nor any API's such as Knox which depend on TrustZone for their security.

Given the nature of the flaw, many devices may never be patched. As of the time of this posting, a fix is not yet available, and it may never be. Non-Redwall users should take care not to depend on TrustZone alone for the security of their data.
Google releases another urgent patch, Redwall devices do not need it
After first dismissing a recent Linux bug, Google took a closer look and decided they needed to issue an emergency patch. The bug allows an attacker to corrupt memory, but Redwall Mobile blocks the underlying mechanism attackers might use to gain additional privileges or cause crashes.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


CVE-2015-1805 describes a bug in the pipe_read() and pipe_write() Linux functions which allows for memory corruption when the __copy_to_user_inatomic() and __copy_from_user_inatomic() calls inside those functions fail. Attacker may be able to crash systems or gain root privileges.

As is typical, Redwall Mobile users who enable root detection and kernel integrity checking are not susceptible to exploits related to CVE-2015-1805. Although no immediate action is required for Redwall Mobile users, Redwall still recommends applying all updates as a matter of common best practices.

Google's Play Store defensive measures have been updates to attempt to detect this exploit, however, recent malware appearing on the Play Store shows that this systems in not a guarantee of safety. Furthermore, many apps self-update internal libraries and find other ways to execute such exploits. Nevertheless, Redwall always recommends only installing apps from more trusted sources.

Non-Redwall users should pick up the patch scheduled for the start of April, and be sure your device us running Linux kernel version 3.18 or higher.
Google patches more remote execution flaws (again)
Overview: Google has released another set of matches for media player and server related bugs in Android. Not all devices manufacturers have picked up the patches, so be sure to apply updates as they come in (unless your device has Redwall, in which case you're already safe).

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

Google released 16 patches for Android, including another one for mediaserver which closes a critical remote execution vulnerability. Nexus devices should already have received the OTA update, and other device manufactures are slowly pushing the update out.

Critical Vulnerabilities:
  • Remote Code Execution Vulnerability in Mediaserver CVE-2016-0815, CVE-2016-0816
  • Remote Code Execution Vulnerabilities in libvpx CVE-2016-1621
  • Elevation of Privilege in Conscrypt CVE-2016-0818
  • Elevation of Privilege Vulnerability in the Qualcomm Performance Component CVE-2016-0819
  • Elevation of Privilege Vulnerability in MediaTek Wi-Fi Driver CVE-2016-0820
  • Elevation of Privilege Vulnerability in Keyring Component CVE-2016-0728

High-risk Vulnerabilities:
  • Mitigation Bypass Vulnerability in the Kernel CVE-2016-0821
  • Elevation of Privilege in MediaTek Connectivity Driver CVE-2016-0822
  • Information Disclosure Vulnerability in Kernel CVE-2016-0823
  • Information Disclosure Vulnerability in libstagefright CVE-2016-0824
  • Information Disclosure Vulnerability in Widevine CVE-2016-0825
  • Elevation of Privilege Vulnerability in Mediaserver CVE-2016-0826, CVE-2016-0827
  • Information Disclosure Vulnerability in Mediaserver CVE-2016-0828, CVE-2016-0829
  • Remote Denial of Service Vulnerability in Bluetooth CVE-2016-0830

Moderate-risk Vulnerabilities:
  • Information Disclosure Vulnerability in Telephony CVE-2016-0831
  • Elevation of Privilege Vulnerability in Setup Wizard CVE-2016-0832

Once again Redwall is unaffected by a batch of flaws in Android, however we still recommend updating regularly as a best practice.
Samsung Driver Update Tool allows takeover
Overview: The Samsung Update Tools is a Windows app that was sending your data unencrypted over the Internet, allowing a man-in-the-middle attack that could take over your Samsung PC.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (low)
   Other phones with built-in security (low)

Redwall is fielding a lot of questions on this one, so we wanted to address it even though it is not a classic mobile or IoT vulnerability. Samsung is more commonly associated with their smartphones and TVs these days, but they also offer an update tool in the form of a Windows app where you can enter your Samsung login, and then stay up to date on software updates from the company for your Samsung devices. The app has had a series of weaknesses, and Samsung has recently closed the latest one which allowed an attacker to deliver false updates which could include further exploits and malware. Users should update from a machine other than the one with the app, and may want to consider re-imaging their system.
Google patches another five critical weaknesses, Redwall safe again
Overview: Google patches another nine Android security holes in its most recent patch, five of which were marked as critical.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

The list of critical vulnerabilities included:

  • Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver (CVE-2016-0801, CVE-2016-0802)
  • Remote Code Execution Vulnerability in Mediaserver (CVE-2016-0803, CVE-2016-0804)
  • Elevation of Privilege vulnerability in Qualcomm Performance Module (CVE-2016-0805)
  • Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver (CVE-2016-0806)
  • Elevation of Privilege Vulnerability in the Debugger Daemon (CVE-2016-0807)

Several other high and moderate severity bugs were also finally addressed:

  • Denial of Service Vulnerability in Minikin (CVE-2016-0808 )
  • Elevation of Privilege Vulnerability in Wi-Fi (CVE-2016-0809 )
  • Elevation of Privilege Vulnerability in Mediaserver (CVE-2016-0810 )
  • Information Disclosure vulnerability in libmediaplayerservice (CVE-2016-0811 )
  • Elevation of Privilege Vulnerability in Setup Wizard (CVE-2016-0812, CVE-2016-0813)

Redwall Mobile stops the underlying exploits that can take advantage of these weaknesses by preventing the installation of rogue apps and stopping the privilege escalation attempts.

Users without Redwall are urged to immediately update their Nexus devices. LG and Samsung have also promised to start providing more timely and regular patches, and users of those devices should ensure that are running the latest versions with all updates applied.
LG and Samsung issue emergency fixes for critical exploits - none needed for Redwall
Overview: Samsung’s January 2016 SMR includes fixes for bugs that allow access to messages from SecEmail, arbitrary code execution, memory corruption, and many more. LG's update addresses issues that can steal private information from the device such as photos, stored files, WhatsApp data, and more though use of the smart notification app.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

LG has already released a security update for some of its latest smartphones to resolve the severe vulnerability. Samsung has also released a maintenance update for its major Android flagship Galaxy models to resolve 16 vulnerabilities in these devices, many of them critical.

Users of LG and Samsung devices not running Redwall Mobile should immediately update their devices. Given the steady stream of vulnerabilities to these devices, that's sound advice at any time.
Redwall devices safe from Kingroot
Overview: The Kingroot one-click rooting APK was updated to include devices like the Samsung Galaxy S6 and Note 3 without tripping the KNOX security solution fuse. This is in addition to the thousands of devices it can already root. Kingroot is not one exploit. It sends data about your phone to a server, and the server comes back with all the potential exploits and applies them automatically. Because of this approach, it has a very high success rate (claims of 92%). Internally, we also found Kingroot to work on devices running Security Enhancements (SE) for Android with strict custom policies.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

Kingroot was not able to root any device running Redwall Mobile. As with other zero day exploits, Redwall Mobile did not require modifications or patches to defeat the attack. Vendors delivering systems running Redwall Mobile do not need to issue a single security update for any of these exploits, since their devices are protected by Redwall Mobile's unique root detection and prevention.
Redwall safe from Android keyring vulnerability
Overview: A flaw in the keyring facility built into Linux systems (including Android) allows malicious apps or users to gain root privileges and take control of the system.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)


Disclosed in CVE-2016-0728, the flaw is in the keyring facility built into Android's underlying Linux kernel. The keyring encrypts and stores cryptographic keys used for encryption, certificates, and login information, and makes them all available to applications.

We have tried the published exploit code and Redwall's privilege escalation protection feature stop the exploit. Note that the exploit does not work on all Android devices, because not all of them use the Linux keyring. Popular devices certainly do, however, so there is a danger. Please keep your eye out for updates if you are not carrying a device with Redwall Mobile.
Redwall devices are safe from Towelroot
Overview: Towelroot (used to refer to the app and often the underlying futex bug) is used to root Samsung devices running SE Android and KNOX. Both layers of security were ineffective against the threat. Once your device is rooted, malicious apps can read your email, listen to ambient audio, or introduce ransomware to your device.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

Redwall Mobile stops the underlying exploit, rendering Towelroot completely ineffective on Samsung devices running Redwall.

Users without Redwall are urged to immediately update their Samsung devices, as some systems have updates to address the bug that enables Towelroot to root the device. Redwall has found that Lollipop and Marshmallow Samsung devices appear to be safe from the exploit, though certainly not from many others, so please continue to update.
Stagefright exploits cannot gain privileges on Redwall Mobile devices
Overview: The Stagefright bug is really a suite of flaws that allow attackers to perform arbitrary privileges operations on your device by sending you specially crafted media files. Fortunately, the privilege escalation used by these exploits does not work on devices with Redwall Mobile.

Threat level when using:
   Redwall (safe!)
   MDMs/Containers (high)
   Other phones with built-in security (high)

Redwall successfully stops the Stagefright exploit which was caused by a bug that lives fairly deep inside the Android operating system itself and could attack devices without the user even being aware that anything had happened. By contrast, Google, Samsung, LG, and others needed to issue emergency security updates. Several specialized phones touted as "secure smartphones" with custom operating systems also required patches for Stagefright and many other security flaws. These patches were complicated when devices were not on the Internet or not using the vendor's and carrier's updates mechanisms (ironically for security reasons in most cases), and so patches still go undelivered for many users.
Please note that Redwall does not disclose new security vulnerabilities on our Web site, nor do we offer instructions or links related to hacking specific devices. All data here is from the public domain and public sources available online. Devices featuring Redwall Technologies are always safer than other devices, however no cyber-security panacea exists in theory or in reality. As such we do our best to highlight threats that are applicable to our current and future customers and partners, even when they are outside the subsystems Redwall protects. Such disclosures are typically private, however, and we always ask that customers contact us with questions, even when they may have nothing to do with Redwall - our expertise is always at your disposal.
Did you know...

  • Redwall Mobile does not depend on any third-party libraries nor any special features such as TrustZone.
  • Redwall Mobile offers performance benefits over virtualization, and a stronger security model than traditional hypervisors.
  • Redwall Mobile policies control access to networks, files, peripherals, services, apps, and any resource.
  • Redwall Mobile security policies are simple to create, and can be edited using the policy server or with any JSON editing tool.
  • Redwall works with industry partners to offer a variety of 8(a) contract vehicles.
Redwall Logo