Google's Android Team Finds Serious Flaw in Honeywell Devices

Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw.

Honeywell’s handheld computers are advertised as devices that combine the advantages provided by consumer PDAs with high-end industrial mobile computers. These rugged devices run Android or Windows operating systems and they provide a wide range of useful functions and connectivity features, including Wi-Fi, Bluetooth and compatibility with Cisco products. The devices are used worldwide in the commercial facilities, critical manufacturing, energy and healthcare sectors.Honeywell handheld computers affected by vulnerability

According to ICS-CERT, the vulnerability found by Google employees affects 17 handheld computers from Honeywell, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series devices running various versions of Android, from 4.4 through 8.1.

If a malicious application makes its way onto an affected device, it can allow its creators to elevate privileges on the system and gain unauthorized access to sensitive information, including keystrokes, passwords, photos, emails, and business-critical documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges,” ICS-CERT said in its advisory.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

The flaw is tracked as CVE-2018-14825 and it has been assigned a CVSS score of 7.6, which makes it “high severity.” The national CERTs of several countries have published advisories to warn organizations about the vulnerability.

While the security hole has been found by Google’s Android team, Honeywell told SecurityWeek that the issue is specific to its products and it does not impact Android in general.

“Honeywell has identified a potential vulnerability on select versions of our rugged mobile computers and issued a software patch to update these devices.” Eric Krantz, a Honeywell spokesperson, said via email.

ICS-CERT provides a complete list of impacted devices and Android versions, along with the software releases containing a patch. In addition to applying the fixes, Honeywell has advised customers to whitelist trusted applications in an effort to limit the risk of malicious apps getting on devices.

Related: Several Flaws Patched in Honeywell Controllers

Related: Honeywell SMX Protects Industrial Sites From USB Threats

Related: Honeywell to Open Industrial Cyber Security Center Singapore

Original author: Eduard Kovacs