Amazon douses Fire phone man-in-the-middle diddle
Fire owners (both of you) should patch sooner rather than later
MWR Labs researcher Bernard Wagner has reported three flaws in Amazon's Fire phone that could allow apps to facilitate man-in-the-middle attacks.
Wagner says two Certinstaller (the CertInstaller tool enables the installation of certificates via various file formats) flaws allow apps to install certificates such that the large number of apps that do not use certificate pinning are open to traffic interception.
A third meant secure ADB debugging was accidentally dropped (PDF) in a vulnerability considerably less risky than those affecting certificates.
Users can nix the ability for attackers to exploit the latter flaw and install malicious apps from a connected computer by turning off ADB debugging.
"The CertInstaller package on the Amazon Fire Phone allows applications to install certificates without interaction with the user," Wagner says.
"If the vulnerability was to be successfully exploited, all encrypted traffic that does not make use of certificate pinning could be intercepted in a man-in-the-middle attack.
"Users are advised to only install applications from trusted sources and exclusively make use of trusted networks."
Wagner says un-patched users should move only if 'Certificate Installed' notifications appear, and should immediately remove the certificate and uninstall any possibly malicious applications that were recently added.
It took Amazon five months to patch the flaw under FireOS 4.6.1 after it was first notified on 19 January.
Wagner issued technical details of the flaw in an advisory you can read in this lovely PDF. ®