Google unveils stronger cellular security for Android 14
Google has revealed new cellular security mitigations that will be available for users and enterprises on its soon-to-be-released Android 14, and announced a new release schedule for Chrome Stable channel updates.
Boosting network security on Android 14
Even though 2G service has been shut down by most major network carriers, many devices are still able to connect to dwindling 2G cellular networks.
“This occurs automatically when 2G is the only network available, but this can also be remotely triggered in a malicious attack, silently inducing devices to downgrade to 2G-only connectivity and thus, ignoring any non-2G network,” Google noted.
Such capability can make devices susceptible to various types of attacks, including Stingray attacks.
“Stingrays are obscure yet very powerful surveillance and interception tools that have been leveraged in multiple scenarios, ranging from potentially sideloading Pegasus malware into journalist phones to a sophisticated phishing scheme that allegedly impacted hundreds of thousands of users with a single [false base station],” Google explained.
“This Stingray-based fraud attack, which likely downgraded device’s connections to 2G to inject SMSishing payloads, has highlighted the risks of 2G connectivity.”
With Android 14 set to be released soon, Google will enable IT administrators and users to disable 2G support on managed and personal devices, respectively.
For additional cellular security, Google announced an option that allows users to disable support for cellular null ciphers, which are still commonly used by commercial networks and can expose user voice and SMS traffic to interception.
“Some commercial Stingrays provide functionality to trick devices into believing ciphering is not supported by the network, thus downgrading the connection to a null cipher and enabling traffic interception,” the company added.
The option that disables cellular null ciphers support will be available to devices that adopt the latest radio hardware abstraction layer (HAL). Users will still be able to make emergency calls over an unciphered connection.
Speeding up Chrome security updates
With Chromium being an open-source project, the source code is available for everyone to review or submit changes. While this can be useful (testing fixes, discovering bugs), it can also help threat actors create exploits that could potentially harm users who haven’t yet received the patched version.
With the introduction of Chrome 116, Stable channel updates will be available to users on a weekly basis.
“Chrome began releasing Stable channel updates every two weeks in 2020, with Chrome 77, as a way to help reduce the patch gap. Before Chrome 77, our patch gap averaged 35 days. Since moving the biweekly release cadence, the patch gap has been reduced to around 15 days. The switch to weekly updates allows us to ship security fixes even faster, and further reduce the patch gap,” noted Amy Ressler, senior technical program manager at Chrome Security Team.
This way, security fixes will be shipped 3.5 days sooner, helping to reduce n-day attacks.
Users simply have to review notifications on their desktops or mobile devices that announce an accessible Chrome update, and promptly run the update.