Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: 900 million Android phones at risk  (Read 6860 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
900 million Android phones at risk
« on: August 08, 2016, 10:35:52 PM »

http://www.bbc.co.uk/news/technology-37005226

To be fair, as long as Google roll out the fixes to all of the manufacturers, and as long as all of the manufacturer then roll out fixes to all of the phones, there'll be nothing to worry about, storm in a teacup.  :)

Alternatively, for 'as long as' substitute 'if only'.   :D
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: 900 million Android phones at risk
« Reply #1 on: August 08, 2016, 11:14:08 PM »

and that will not happen due to commercial interests  ::)

Android is Armageddon waiting to happen.
Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: 900 million Android phones at risk
« Reply #2 on: August 08, 2016, 11:20:52 PM »

This isn't actually an issue that Google have to fix necessarily, as it is a flaw in Qualcomm firmware as opposed to a flaw in the Android OS. Google will be responsible for rolling it out to Nexus and Android One devices however, which they will most likely do in the September Security patch, or may be implemented into Android 7.0 Nougat which is widely expected to rollout either late this month or early next month.

For the other devices listed it is the responsibility of their manufacturers to update the Qualcomm firmware. I can see the following are most likely to do it based on recent trends:
  • Blackberry
  • Google
  • HTC
  • LG
  • Samsung (they have been releasing security updates in line with Nexus devices as of late, although this is carrier dependent for most)
  • OnePlus (Two and Three only, One was being maintained by Cyanogen Inc. but the contract expired)
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: 900 million Android phones at risk
« Reply #3 on: August 08, 2016, 11:27:47 PM »

I'm perhaps a little out of touch, but is there any precedent at all for Android phone makers rolling out fixes to anything other than the very latest OS versions and handsets, regardless whether sourced by Google or chip makers?

I am assuming that a fair proportion of that 900,000,000 vulnerable devices might not be running latest version of Android, or newly purchased hardware. ;)
Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: 900 million Android phones at risk
« Reply #4 on: August 08, 2016, 11:59:31 PM »

As I said, the ones listed in the article are relatively recent, all released within the past year apart from the G4, Nexus 6 and a couple of others. There are other handsets that are not listed, and as such those handsets will need to be updated by their manufacturers. There is not really any business reason for them to update these devices, because as you say many of them are likely still running on older Android versions, although integration of the Qualcomm firmware is not dependent on Android version.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: 900 million Android phones at risk
« Reply #5 on: August 09, 2016, 02:16:35 AM »

yep I found this for samsung, but as you said I think it is still reliant on the carrier to pass these updates through.

http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Logged
  Eric

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: 900 million Android phones at risk
« Reply #7 on: August 09, 2016, 05:20:58 PM »

The custom rom I got on my phone which is the CPE1 variant of touchwiz 6.0.1 from may 2016, did originally after flashing have the option to grab samsung security updates available and enabled, I disabled it at the time because the updates broke root access.

I checked last night to see if I could turn it back on again, grab the updates and try to fix root afterwards but now on my phone the option vanished haha.  Bizzarre.  So my phone is patched up until may 2016 and has all 4 of the qualcomm CVE vulnerable.

I been trying to find out more about the vulnerability so to see if it can be mitigated by adjusting the phone configuration, but very little information is out there.  e.g. stagefright could be mitigated by disabling the stagefright libraries in the build.prop file so no patch was needed.  The only advise out there is the usual vague only download apps from the play store.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: 900 million Android phones at risk
« Reply #8 on: August 09, 2016, 05:54:49 PM »

The iffy patch delivery model is the reason I could never consider an Android box. Although, actually I do own a very old Sony Android device - a music-player - which is ok because it has no Internet connection
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: 900 million Android phones at risk
« Reply #9 on: August 09, 2016, 06:20:21 PM »

QuadRooter vulnerability: 5 things to know about this Android security scare

That article seems to suggest it is not a major crisis, on the argument that the Play Store would not approve a malicious App, and/or the App scanner would detect one.   I personally think that is rather naive... just as virus scanners have their uses, one should never actually depend upon them, none are 100% reliable.

The article also refers to this being 'Android security scare season'.   If the Authors feel that Android security scares have become such a regular, even a seasonal event, surely that aspect (the frequency of scares) should be the thrust of their story...?

One thing I'd like to understand... If I still had an Android phone, it would be by old Samsung PAYG.  Purchased sim-free, and never registered with Samsung.    So if it was affected, who would notify me of the update and (hopefully) force-feed me the fix?
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: 900 million Android phones at risk
« Reply #10 on: August 09, 2016, 06:34:01 PM »

The main point which I take from that "Five things..." article is that this isn't an Android problem. The vulnerability is in the Qualcomm drivers, and if a different OS was installed on the same hardware, it would have the same problem. So I get a little irritated when people scream about "another Android security problem". Android phones using different hardware are of course not affected.
Logged
  Eric

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: 900 million Android phones at risk
« Reply #11 on: August 09, 2016, 06:47:28 PM »

its an android problem because the way android is built and distributed does not allow end users themselves to fetch a patch direct from the source and install it, instead they reliant on their carriers and/or manufacturers.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: 900 million Android phones at risk
« Reply #12 on: August 09, 2016, 06:51:43 PM »

I also noted it being said that it is a Qualcomm problem, not an Android one.   

Yet, while I can't pretend to be familiar with which chip does what on every phone, my understanding is that iPhones also used Qualcomm chips, at least until recently.  Nobody seems to be suggesting that iOS phones are vulnerable and if they were, I think it would have been mentioned by now... :-\
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: 900 million Android phones at risk
« Reply #13 on: August 09, 2016, 06:54:30 PM »

the difference is iphone owners can get security updates from apple, so if they were vulnerable its only temporary.

Logged

NEXUS2345

  • Reg Member
  • ***
  • Posts: 235
Re: 900 million Android phones at risk
« Reply #14 on: August 09, 2016, 07:09:38 PM »

The argument that because Apple controls updates they are bound to fix it is only really relevant when you consider the iPhone 4S and above. Apple generally discontinue support for devices after about 4-5 generations, which is a long time, longer than most Android devices, but bugs from 25 years ago have been found in some software, so it is possible still that they may be vulnerable.
Logged
Security improvement and remediation consultant with infrastructure specialisation

IDNet Openreach FTTP 1000/115 + Asus RT-AX92U | Virgin Media 200 + SuperHub 3 + Synology MR2200ac mesh | Sky 80/20 with WiFi Guarantee on Huawei 288 cabinet
Pages: [1] 2
 

anything