Privilege Escalation Vulnerability Found in Honeywell Android Computers

A total of 17 Honeywell handheld computers were recently found vulnerable to a privilege escalation bug that could enable attackers to fully compromise the device and its stored data.

The remotely exploitable vulnerability (CVE-2018-14825) has been tagged as “Improper Privilege Management,” and exploitation involves a tampered third-party app that elevates privileges once installed on the device. Affected devices include the CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series, all running Android distributions ranging from Android 4.4 to Android 8.1.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges,” reads the advisory. “This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”

Honeywell has already released a security update and encourages all affected users to download and install it immediately. Other security recommendations include whitelisting applications, avoiding apps from untrusted app stores, placing affected devices behind firewalls, and making sure that remote access is enforced via VPNs.

“Honeywell has released software updates that resolve this vulnerability,” reads the advisory. “Honeywell always recommends the whitelisting of trusted applications to limit risk from malicious apps being installed on the device.

The vulnerability was reported by Google’s Android team, and a Honeywell spokesperson confirmed that it only affected their products and not the bulk of Android-running devices.  Rated as “high severity” due to a CVSS score of 7.6, even several CERTs have issued a warning in their respective countries.

“Honeywell has identified a potential vulnerability on select versions of our rugged mobile computers and issued a software patch to update these devices.” said Honeywell spokesperson, Eric Krantz, via email.

Leave a Reply