To the central content area
Toggle Dark/Light Mode Dark Mode
:::

2019 Smartphone System Embedded Software Cyber Security Sampling Inspection

To protect consumer rights, the National Communications Committee (NCC) began a sampling inspection trial on the cybersecurity of mobile phones on the market in 2019, commissioning the Taiwan Accreditation Foundation-approved Telecom Technology Center to test ten different top-selling smartphone models during the first quarter of 2019. Relevant tests were selected according to the "Technical Specifications for Smart Phone System Embedded Software Cyber Security Testing" announced by the NCC (no longer applicable since February 23, 2022) to confirm that the embedded software in tested phones did not show signs of the following:

  •  Not encrypting or saving sensitive information (such as personal information) in protected areas within the operating system
  • Not encrypting sensitive information while wirelessly transmitting 
  • Session ID of embedded software is subject to replay attack
  • Not using safe, encrypted algorithms when transmitting between paid service servers
  • Accessing user accounts linked to the device without verifying user identity and permission when accessing for the first time
  • Embedded software is unable to handle SQL injection attack strings
  • Embedded software is unable to handle XML external entity attack strings
  • Embedded software saving accounts, passwords, and keys used to communicate with server as plaintext within the executable file
  • Embedded software enables unnecessary permissions as default or system enables unnecessary network connection ports as default
  • Using plaintext when transmitting during system update

The NCC announced the sampling inspection results on May 8, 2020 (press release: https://www.ncc.gov.tw/chinese/news_detail.aspx?site_content_sn=8&sn_f=43108). Following a first test, improvements, and re-tests, nine out of the ten phones passed the test, and one completed improvement a week after the results were published. The results were as follows:

  • Passed after first test: Apple iPhone XR
  • Passed after first retest: after a two-month improvement period; HTC U12, Samsung Galaxy A7 2018, Nokia 8.1, Sony Xperia L2, Asus Zenfone Max M1, Sugar P1, and Huawei Y9 2019
  • Passed after second retest: Oppo AX5
  • Improved after result announcement: Redmi Note 6 Pro

The results indicate that the versions of aforementioned phones’ embedded software, such as system operation, met test requirements at the moment of testing. Considering that currently, cybersecurity incidents are abundant and hacking methods are constantly changing, if it is discovered that the embedded software within the phones that passed the sampling inspection show cybersecurity loopholes or risks, manufacturers must still make improvements as soon as possible. Additionally, cyber security risks of mobiles phones also include self-installed mobile applications and user habits, and the public must maintain cyber security risk awareness and vigilance, choose trustworthy phones, and maintain the "three don’ts and five dos" habits: 

  • Three don’ts:
    • Don’t forcibly acquire administrator permission
    • Don’t browse suspicious websites
    • Don’t connect to suspicious Wi-Fi
  • Five dos:
    • Regularly update passwords
    • Update software and backup data
    • Close Wi-Fi/Bluetooth interfaces when not in use
    • Activate encryption protection when connecting to Wi-Fi
    • Delete sensitive information before discarding phone

In the future, the NCC will continue to work with the Executive Yuan’s Consumer Protection Committee and Department of Cyber Security to conduct yearly embedded software sampling inspections on the year’s top ten mobile phone brands, Chinese brands, and generic Chinese brands and jointly announce results. Suppliers or manufacturers of phones with test results that do not meet standards will be requested to undertake corrective action according to the Consumer Protection Act in order to raise consumers’ cyber security awareness, while public discussion generated by the announced test results will encourage smartphone manufacturers to take the cyber security of embedded software seriously.
 

Go Top