2020 Smartphone System Embedded Software Cyber Security Sampling Inspection
To encourage smartphone manufacturers to view the cyber security of embedded software more seriously and protect consumer rights, the National Communications Committee (NCC) continued sampling inspection the cyber security of mobile phones in the market during 2020, commissioning the Taiwan Accreditation Foundation-approved Telecom Technology Center Info-Com Security Testing Laboratory to conduct mobile phone system embedded software cyber security tests on 10 different models of smartphones that had high sales in the first half of 2020 and had not received cyber security certification, three phone models under telecommunications providers’ own brands, and two under Chinese brands between the second half of 2020 and first quarter of 2021. Test items focused on required personal information protection and encryption mechanisms of applications, software, and communication protocols. 10 basic tests were selected from across levels within the "Regulations for Smartphone System Embedded Software Cyber Security Testing" announced in July 2020 and include:
- Embedded software should encrypt and save accounts, passwords, or keys in protected areas within the operating system.
- Embedded software should prevent session IDs from being subject to replay attacks.
- Embedded software should use safe, encrypted algorithms when transmitting between paid service servers.
- Embedded software may not save sensitive information in the system’s journaling file while running.
- Embedded software should obtain user consent before accessing sensitive information.
The NCC announced the sampling inspection results on July 7, 2021 (press release: https://www.ncc.gov.tw/chinese/news_detail.aspx?site_content_sn=8&cate=0&keyword=&is_history=0&pages=0&sn_f=46299). The 14 phones that passed the test were as follows:
- Passed after first test (January 2021): Apple iPhone 11
- Passed after retest (April 2021): did not pass first test but passed retest after phone manufacturers actively complied and made improvements, including Sony Xperia 5, Samsung Galaxy A20, HTC Desire 19S, Asus Zenfone Max M2, Taiwan Mobile A55 and A57, Sugar C13, Redmi Note 8T, Huawei Y9 Prime 2019, Oppo A9 2020, Koobee S16, Realme XT, and Vivo Y12
The results mean that the versions of the aforementioned phones’ embedded software, such as system operation, met test requirements at the moment of testing. In light of the fact that cyber security incidents remain abundant and hacking methods are constantly changing, the future safety of phones that passed the test is not guaranteed; if embedded software is updated to newer versions, phone manufacturers should retest and recertify the updated parts to maintain the phones’ cyber security certification level. If it is discovered that the embedded software within the phones that passed the sampling inspection shows cyber security loopholes or risks, manufacturers must still make improvements as soon as possible and the public should pay attention to relevant updates and improvement information. Additionally, mobile phone cyber security risks also include self-installed mobile applications and user habits, and the public must maintain cyber security risk awareness and vigilance, choose trustworthy phones, and maintain the "three don’ts and five dos" habits, which include:
- Three don'ts:
- Don't browse suspicious websites: browsing suspicious websites may cause automatic downloads of software unbeknownst to users that hack into phones, steal personal information, or infringe privacy.
- Don't connect to suspicious Wi-Fi: malicious access points may tap users’ communication and raise risks of important information leaks.
- Don't forcibly acquire administrator permission: using suspicious applications to acquire phone administrator permission may cause all personal information to be stolen.
- Five dos:
- Regularly update passwords: avoid overly simple passwords that are prone to being hacked.
- Update software and backup data: this helps avoid loopholes in old versions of software that causes damage and information loss.
- Close Wi-Fi/Bluetooth interfaces when not in use: this lowers the probability of connections by malicious devices and decreases hacking risks.
- Activate encryption protection when connecting to Wi-Fi: this prevents phone networks and communication from being tapped for important information.
- Delete sensitive information on phones no longer in use: this prevents sensitive information from being obtained by others.
To reinforce the public’s smartphone cyber security awareness and protect consumer rights, the NCC not only designates a mobile phone cyber security awareness promotion section on its official website, but also continuously follows international cyber security suggestions and measures for connected devices to adjust relevant testing regulations on mobile phone system embedded software on a rolling basis; it also discloses to the public cyber security threats or risks that may exist within embedded software. In the future, the NCC shall continue to conduct smartphone system embedded software cyber security sampling inspections within limited administrative resources and announce the results. It will also reinforce sampling inspection for phones manufactured in high-risk regions in order to encourage phone manufacturers to view the cyber security of embedded software more seriously and protect consumer rights.